Media Company CloudZ RAT potentially steals OTP messages using Pheno plugin

SOC Prime Team

Media Company CloudZ RAT potentially steals OTP messages using Pheno plugin

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Cisco Talos identified an intrusion in which attackers deployed the CloudZ remote access trojan together with a custom plugin called Pheno. The activity targets Windows 10 and 11 systems that rely on Microsoft Phone Link to synchronize with mobile devices. By abusing the Phone Link bridge on the workstation, the attackers can access SMS content and one-time password messages without placing malware directly on the phone itself. The infection chain uses a Rust-based dropper, a .NET loader, scheduled-task persistence, and several payload delivery methods.

Investigation

Talos traced the intrusion to a fake ScreenConnect update that delivered a Rust-compiled loader named systemupdates.exe or Windows-interactive-update.exe. That loader decrypted and dropped a .NET component, which then installed CloudZ RAT through a scheduled task that launched regasm.exe. After installation, CloudZ retrieved the Pheno plugin from a staging server and used it to access data stored in the Phone Link SQLite database. Investigators also identified command-and-control infrastructure, including the IP address 185.196.10.136 and multiple malicious domains tied to the campaign.

Mitigation

Cisco Talos noted that ClamAV detections such as Win.Packed.Msilheracles and Win.Trojan.CloudZRAT, along with Snort rules 66408–66410 and 301492, can help identify the threat. Blocking the known malicious domains and IP address, while restricting execution of unsigned binaries from locations such as ProgramData, can help stop the loader chain. Organizations can also reduce exposure by disabling or closely monitoring Microsoft Phone Link and by enforcing least privilege over scheduled task creation and execution.

Response

If this activity is detected, isolate the affected host immediately and collect memory and disk images for forensic analysis. Investigators should confirm the presence of the SystemWindowsApis scheduled task and any CloudZ-related binaries, then remove them from the system. The identified command-and-control infrastructure should be blocked, and potentially exposed credentials should be reset, especially where OTP-based authentication may have been intercepted. A broader system review should also examine other persistence methods and audit PowerShell and regasm.exe activity for related abuse.

"graph TB %% Class definitions classDef technique fill:#ffe699 %% Node definitions step1_user_exec["Technique – T1204.002 User Execution: Malicious File Description: User is tricked into running a malicious executable masquerading as a fake ScreenConnect update."] class step1_user_exec technique step2_persistence["Technique – T1218.009 System Binary Proxy Execution: Regsvcs/Regasm Description: Malicious code is executed via regsvcs or regasm through a scheduled task, leveraging trusted .NET binaries."] class step2_persistence technique step3_obfuscation["Technique – T1027 Obfuscated Files or Information Description: Payload is packed with ConfuserEx and XORu2011encrypted to hide its true functionality."] class step3_obfuscation technique step4_dynamic_api["Technique – T1027.007 Dynamic API Resolution Description: At runtime the malware resolves required APIs, checking for analysis tools to avoid static detection."] class step4_dynamic_api technique step5_indicator_removal["Technique – T1027.005 Indicator Removal from Tools Description: The code aborts execution if security utilities are detected, removing any observable indicators."] class step5_indicator_removal technique step6_reflective_load["Technique – T1620 Reflective Code Loading Description: .NET payload is loaded directly into memory reflectively, leaving no file on disk."] class step6_reflective_load technique step7_process_discovery["Technique – T1057 Process Discovery Description: Malware enumerates running processes to locate and possibly disable security tools."] class step7_process_discovery technique step8_browser_creds["Technique – T1555.003 Credentials from Web Browsers Description: Stored browser passwords are extracted and prepared for exfiltration."] class step8_browser_creds technique step9_steal_cookie["Technique – T1539 Steal Web Session Cookie Description: Active web session cookies are captured from the browser."] class step9_steal_cookie technique step10_use_cookie["Technique – T1550.004 Use Alternate Authentication Material: Web Session Cookie Description: Stolen cookies are reused to authenticate to target web services."] class step10_use_cookie technique step11_browser_info["Technique – T1217 Browser Information Discovery Description: Additional browser data and OTP messages are gathered for further abuse."] class step11_browser_info technique step12_bits_jobs["Technique – T1197 BITS Jobs Description: BITS jobs download extra malicious plugins using bitsadmin, curl, or PowerShell."] class step12_bits_jobs technique step13_exfil_encrypted["Technique – T1048.002 Exfiltration Over Asymmetric Encrypted Nonu2011C2 Protocol Description: Collected data is sent out over an encrypted TCP socket that is not part of a standard C2 channel."] class step13_exfil_encrypted technique step14_c2_web["Technique – T1071.001 Application Layer Protocol: Web Protocols Description: Command and control traffic uses HTTP/S with rotating useru2011agents and antiu2011caching headers."] class step14_c2_web technique %% Connections step1_user_exec –>|leads_to| step2_persistence step2_persistence –>|leads_to| step3_obfuscation step3_obfuscation –>|leads_to| step4_dynamic_api step4_dynamic_api –>|leads_to| step5_indicator_removal step5_indicator_removal –>|leads_to| step6_reflective_load step6_reflective_load –>|leads_to| step7_process_discovery step7_process_discovery –>|leads_to| step8_browser_creds step8_browser_creds –>|leads_to| step9_steal_cookie step9_steal_cookie –>|leads_to| step10_use_cookie step10_use_cookie –>|leads_to| step11_browser_info step11_browser_info –>|leads_to| step12_bits_jobs step12_bits_jobs –>|leads_to| step13_exfil_encrypted step13_exfil_encrypted –>|leads_to| step14_c2_web "

Attack Flow

Attack Narrative & Commands:
The attacker has compromised a low‑privilege user account and wishes to establish persistence while confirming that the CloudZ .NET loader is active. They:
1. Create a scheduled task that launches a PowerShell script (C:Tempcloudz.ps1).
2. Immediately execute the task with schtasks /run to ensure the script runs.
3. Inside the script, enumerate all processes using Get‑CimInstance Win32_Process to test for the .NET loader presence.
4. The PowerShell process and the schtasks command both produce Sysmon EventID 1 records whose CommandLine fields contain the exact strings the rule watches, causing an alert.

Regression Test Script:

#-------------------------------------------------
# CloudZ‑style persistence & verification script
#-------------------------------------------------
$taskName = "CloudZ_Persistence"
$scriptPath = "C:Tempcloudz.ps1"

# 1️⃣ Write the PowerShell payload that queries processes
@"
# CloudZ payload – process enumeration
Get-CimInstance Win32_Process | Out-Null
"@ | Set-Content -Path $scriptPath -Encoding ASCII

# 2️⃣ Register a scheduled task that runs the payload
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$scriptPath`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -Force

# 3️⃣ Immediately run the task (generates schtasks /run)
schtasks /run /tn "$taskName"

# 4️⃣ Short pause to allow logging
Start-Sleep -Seconds 5

Cleanup Commands:

# Remove scheduled task
Unregister-ScheduledTask -TaskName "CloudZ_Persistence" -Confirm:$false

# Delete the payload script
Remove-Item -Path "C:Tempcloudz.ps1" -Force

# Optionally stop Sysmon (restore original config) if needed
# & "$env:ProgramFilesSysinternalsSysmon.exe" -u

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free