CloudZ RAT Exploits Phone Link to Steal Credentials and OTPs

Colleagues: Cisco Talos described a CloudZ RAT campaign with a Pheno plugin that intercepts SMS and OTP via Microsoft Phone Link without compromising the phone.
- What happened: a malicious executable deploys a .NET loader and the Pheno plugin; the plugin reads Phone Link data (SQLite).
- Risks: credential and OTP theft, 2FA bypass, exfiltration from the staging folder.
- Mechanism: C2 communication, module loading, collection of browser data and Phone Link logs.
Why it matters: device synchronization features open new vectors for credential theft.
What mitigation measures should be prioritized? #cybersecurity #endpointsecurity #CloudZ #PhoneLink


Latest comments
No comments yet.