Overview
- Cisco Talos on Tuesday detailed a new CloudZ plugin called Pheno and released indicators of compromise that defenders can use.
- Pheno watches for active Microsoft Phone Link sessions on Windows and tries to read the app’s local SQLite database to capture texts, one-time passwords, and credentials without infecting the phone.
- Researchers observed an infection chain that starts with a fake ScreenConnect update, drops a Rust-based loader, then runs a .NET loader that installs CloudZ and persists via a scheduled task after anti-analysis checks.
- The technique abuses normal Phone Link behavior rather than a software flaw, so guidance stresses detection, moving away from SMS codes, and using authenticator apps or hardware security keys for sensitive accounts.
- The activity has been active since at least January 2026 with no group named, and a compromised PC can expose mobile codes mirrored to the desktop and help attackers defeat two-factor checks.