← All stories

GBHackers

CloudZ RAT Exploits Microsoft Phone Link to Steal SMS OTPs

Mayura Kathir · 12 hours ago · Read original ↗

ATT&CK techniques detected

5 predictions

T1053.005Scheduled Task

81%

“” under “ c : \ programdata \ microsoft \ windosdoc \ ”. in some cases, the. net loader is fetched from attacker ‑ controlled infrastructure using curl, such as a staging server hosted behind a cloudflare workers domain, and saved into the same directory. the loader then conducts…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.002Malicious File

80%

“a previously undocumented plugin named pheno to harvest credentials and authentication codes from enterprise systems. once active sessions are detected, pheno locates phone link ’ s local database and allows cloudz operators to potentially intercept sms ‑ based otps and authentic…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1090.002External Proxy

41%

“including process ids and paths, to output files named “ phonelink - < computername >. txt ” in staging folders under programdata and the user ’ s temp directory. pheno then re ‑ reads these logs and searches for the keyword “ proxy, ” which is associated with the local proxy cha…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.002Spearphishing Link

40%

“cloudz rat exploits microsoft phone link to steal sms otps cloudz is a new modular remote access trojan that abuses microsoft ’ s built ‑ in phone link feature to steal sms one ‑ time passwords ( otps ) and other mobile notifications directly from windows pcs, without infecting t…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.001PowerShell

31%

“” under “ c : \ programdata \ microsoft \ windosdoc \ ”. in some cases, the. net loader is fetched from attacker ‑ controlled infrastructure using curl, such as a staging server hosted behind a cloudflare workers domain, and saved into the same directory. the loader then conducts…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

CloudZ is a new modular remote access trojan that abuses Microsoft’s built‑in Phone Link feature to steal SMS one‑time passwords (OTPs) and other mobile notifications directly from Windows PCs, without infecting the phone itself. Microsoft Phone Link (formerly “Your Phone”) is integrated into Windows 10 and 11 to mirror smartphone SMS messages, application notifications, call […]

The post CloudZ RAT Exploits Microsoft Phone Link to Steal SMS OTPs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.