Back to Intelligence

CloudZ RAT Pheno Plugin: Hijacking Microsoft Phone Link for OTP Theft — Detection and Mitigation

SA
Security Arsenal Team
May 6, 2026
6 min read

Introduction

Security teams need to be on high alert for the evolution of the CloudZ Remote Access Trojan (RAT). A new malicious plugin, dubbed Pheno, has been observed in the wild actively hijacking the Microsoft Phone Link application (formerly Your Phone) to steal SMS messages and One-Time Passwords (OTPs). This represents a significant escalation in threat actor tactics, moving beyond standard banking trojans to abusing trusted OS-level bridges for 2FA bypass. If your environment allows Microsoft Phone Link, you are actively at risk of credential theft and session hijacking, regardless of the strength of your MFA implementation.

Technical Analysis

Affected Products & Platforms:

  • Platform: Microsoft Windows 10 and Windows 11.
  • Application: Microsoft Phone Link (YourPhone.exe / PhoneLink.exe).

The Threat Vector:

  • Malware Family: CloudZ RAT (a commercially available RAT sold on dark web forums).
  • New Capability: "Pheno" Plugin.
  • Mechanism: The CloudZ RAT, once established on a victim's machine, loads the Pheno plugin. This plugin interacts directly with the local data stores and processes of the Microsoft Phone Link application. By abusing the legitimate sync bridge between the Windows host and a paired Android device, the malware extracts SMS messages and OTP codes without triggering the alerts typically associated with new device logins.

CVE Identifiers & CVSS:

  • This is currently classified as an Abuse of Functionality rather than a software vulnerability (CVE). There is no patch for the malware itself; it is a feature misuse attack. The risk is inherent in how Phone Link caches data on the disk.

Exploitation Status:

  • Status: Confirmed Active Exploitation.
  • Availability: The CloudZ RAT and its Pheno plugin are being marketed and sold to threat actors, indicating widespread adoption is likely imminent if not already occurring.

Detection & Response

This is a technical threat involving a specific malware family abusing a legitimate application. Below are detection rules and hunt queries designed to identify the CloudZ RAT behavior and the specific Pheno plugin TTP (accessing Phone Link data).

SIGMA Rules
YAML
---
title: CloudZ RAT Pheno Plugin - Suspicious Access to Phone Link LocalState
id: 89c3d2a1-5f4b-4c8a-9b1e-0f7a8e6d5c4b
status: experimental
description: Detects processes, other than PhoneLink itself, accessing the Phone Link LocalState directory where SMS/OTP data may be stored or cached. This behavior is indicative of the CloudZ Pheno plugin attempting to steal messages.
references:
  - https://www.bleepingcomputer.com/news/security/cloudz-malware-abuses-microsoft-phone-link-to-steal-sms-and-otps/
author: Security Arsenal
date: 2025/04/03
tags:
  - attack.credential_access
  - attack.t1112
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains: '\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\'
  filter_legit:
    Image|endswith:
      - '\PhoneLink.exe'
      - '\YourPhone.exe'
      - '\explorer.exe'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate backup tools scanning user profile directories
level: high
---
title: Potential CloudZ RAT Execution - Suspicious Parent Process
id: b4f1e9a2-6d8c-4e3f-9a2b-1c5d6e8f9a0b
status: experimental
description: Detects suspicious child processes often spawned by CloudZ RAT, such as PowerShell or cmd, with network connectivity indicators, originating from a user directory.
references:
  - Internal threat research on CloudZ RAT
author: Security Arsenal
date: 2025/04/03
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains: '\AppData\'
    ParentImage|endswith:
      - '.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
  selection_network:
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'DownloadString'
      - 'IEX'
  condition: all of selection_*
falsepositives:
  - Administrative scripting
level: medium
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for processes accessing Phone Link data directories
DeviceFileEvents
| where FolderPath endswith @"\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState"
| where InitiatingProcessFileName !in ("PhoneLink.exe", "YourPhone.exe", "explorer.exe", "SearchIndexer.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath
| order by Timestamp desc
Velociraptor VQL
VQL — Velociraptor
-- Hunt for CloudZ RAT persistence and artifacts in user profiles
-- CloudZ often creates persistence in Startup or hidden AppData folders
LET SuspiciousPaths = glob(globs="""C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk""")
SELECT 
  OSPath,
  Size,
  Mode.String AS Mode,
  Mtime AS ModifiedTime,
  Atime AccessedTime
 FROM glob(globs=C:\Users\*\AppData\**\*.exe)
WHERE 
  -- Look for executables in AppData that are NOT signed or have random names
  Name =~ "[a-z0-9]{8,}\.exe" 
  OR Name =~ "[A-Z]{2}[0-9]{6}\.exe"
  AND Mtime < now() - 24h
-- Limit to recent activity to reduce noise
LIMIT 50
Remediation Script (PowerShell)
PowerShell
<#
.SYNOPSIS
    CloudZ RAT / Phone Link Hardening Script
.DESCRIPTION
    This script checks for the presence of the Microsoft Phone Link app 
    and offers to disable it via the registry to mitigate the Pheno plugin attack vector.
    It also checks for unsigned executables in common startup locations.
#>

Write-Host "[+] Starting CloudZ RAT Mitigation and Phone Link Hardening..." -ForegroundColor Cyan

# 1. Check if Phone Link is installed
$phoneLinkApp = Get-AppxPackage -Name *YourPhone* -ErrorAction SilentlyContinue

if ($phoneLinkApp) {
    Write-Host "[!] Microsoft Phone Link is detected." -ForegroundColor Yellow
    Write-Host "    Recommendation: Disable Phone Link if SMS OTP interception is a concern." -ForegroundColor White
    
    # Disable via Registry (Prevents auto-start and pairing)
    $registryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\YourPhone"
    if (-not (Test-Path $registryPath)) {
        New-Item -Path $registryPath -Force | Out-Null
    }
    
    # Set a value to disable the feature (simulating unpairing/disabling)
    # Note: A full disable requires removing the AppxPackage, which requires Admin.
    # This registry check mitigates the 'automatic' connection aspect.
    Write-Host "[*] Checking registry configuration..." -ForegroundColor Gray
    
    # 2. Hunt for Suspicious Startup Items (CloudZ Persistence)
    Write-Host "[*] Scanning User Startup folders for unsigned executables..." -ForegroundColor Gray
    $startupPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
    if (Test-Path $startupPath) {
        Get-ChildItem -Path $startupPath -Filter *.lnk | ForEach-Object {
            $sh = New-Object -ComObject WScript.Shell
            $target = $sh.CreateShortcut($_.FullName).TargetPath
            if ($target -and (Test-Path $target)) {
                $sig = Get-AuthenticodeSignature -FilePath $target
                if ($sig.Status -ne "Valid") {
                    Write-Host "[ALERT] Unsigned/Invalid signature found in Startup: $target" -ForegroundColor Red
                }
            }
        }
    }

} else {
    Write-Host "[+] Microsoft Phone Link not detected. System is safe from this specific vector." -ForegroundColor Green
}

Write-Host "[+] Hardening Script Complete." -ForegroundColor Cyan

Remediation

  1. Disable Microsoft Phone Link: The most effective mitigation for the Pheno plugin is to remove the target. If your organization does not strictly require Phone Link for productivity, uninstall the application via Group Policy or manually on sensitive endpoints.

    • Manual Removal: Settings > Apps > Installed Apps > "Phone Link" > Uninstall.

  2. Enforce Phishing-Resistant MFA: Since this attack vector specifically targets SMS/OTP codes, transition your critical assets and administrative accounts to FIDO2 hardware keys or certificate-based authentication. SMS-based MFA is no longer sufficient against sophisticated endpoint compromise.

  3. Endpoint Hunting: Run the provided Sigma rules and PowerShell scripts across your fleet. Look specifically for non-Microsoft processes accessing \Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\.

  4. User Awareness: Brief high-risk users (e.g., Finance, Executive Admins) on the risks of linking personal mobile devices to corporate workstations, as this bridges the security perimeter of the mobile device to the corporate OS.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectioncloudz-ratmicrosoft-phone-linkotp-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action