Cisco Talos experts have recently uncovered a sophisticated trojan that has been operational since at least January 2026. This malicious software installs the CloudZ RAT (Remote Access Tool) on Windows systems, accompanied by the Pheno plugin. The Pheno plugin is particularly concerning as it enables attackers to extract data from smartphones connected to a PC via the Phone Link feature.
Attack Vector and Execution
The attack begins with an undisclosed initial access vector, infiltrating the victim’s environment before executing a counterfeit SmartConnect update. Following this deceptive maneuver, the modular CloudZ RAT is deployed onto the compromised computer.
Upon execution, the RAT decrypts its configuration data and establishes an encrypted socket connection to its command and control (C2) server, entering into C2 mode. This connection is crucial for the attackers, as it facilitates the extraction of sensitive information.
Data Extraction and Targeted Information
CloudZ plays a pivotal role in assisting C2 teams to harvest credentials from the victim’s web browser. It also downloads and installs the Pheno plugin, which is designed to access Phone Link app data stored in an intermediate folder and transmit this information back to the C2 server.
For context, Windows Phone Link is a feature that allows users to synchronize files, messages, calls, and notifications from their smartphones to Windows 10 or 11 computers. This synchronization includes critical data such as SMS messages containing one-time passwords and account login details—information that Cisco Talos identifies as the primary target of the attackers.
As the landscape of cybersecurity continues to evolve, the emergence of such threats underscores the importance of vigilance and proactive measures in protecting sensitive information.
