TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Cisco Talos Intelligence

CloudZ RAT potentially steals OTP messages using Pheno plugin

Alex Karkins · 1 day ago · Read original ↗

ATT&CK techniques detected

15 predictions
T1053.005Scheduled Task
100%
“[. ] hellohiall [. ] workers [. ] dev the dropper executes an embedded powershell script to establish persistence on the victim machine through a windows task which executes the dropped malicious. net loader. the powershell script achieves it by initially performing a runtime che…”
T1105Ingress Tool Transfer
100%
“presence of the curl utility. if found, it attempts to download the file from a specified url to a target path while following redirects. if curl is missing or the command fails, it falls back to powershell, where it first tries to download the file using the invoke - webrequest …”
T1105Ingress Tool Transfer
100%
“mozilla / 5. 0 ( iphone ; cpu iphone os 11 _ 4 _ 1 like mac os x ) applewebkit / 605. 1. 15 ( khtml, like gecko ) version / 11. 0 mobile / 15e148 safari / 604. 1 - mozilla / 5. 0 ( windows nt 10. 0 ; win64 ; x64 ) applewebkit / 537. 36 ( khtml, like gecko ) chrome / 60. 0. 3112. …”
T1053.005Scheduled Task
98%
“silently overwrite any existing task with the same name, allowing the malware to update its persistence mechanism. the script configures the task scheduler action to run the. net loader by utilizing the living - off - the - land binary ( lolbin ) regasm. exe, which is the. net fr…”
T1204.002Malicious File
84%
“based otp messages and other authenticator application notification messages. intrusion summary of cloudz infection talos discovered from telemetry data that the intrusion had begun with an unknown initial access vector to the victim ' s environment, which led to the execution of…”
T1557.001Name Resolution Poisoning and SMB Relay
81%
“of the pheno plugin, indicates that the phone link session is actively routing traffic through its relay channel. when the keyword is detected, the pheno plugin writes " maybe connected " to its output file in the staging folders, which eventually allows the attacker, with the he…”
T1204.002Malicious File
81%
“as a dropper talos discovered a rust - compiled 64 - bit executable, disguised with file names such as “ systemupdates. exe ” or “ windows - interactive - update. exe ”, functioning as a loader. the malicious loader was compiled on jan. 1, 2026, and has the developer string of ru…”
T1497Virtualization/Sandbox Evasion
72%
“- based evasion check, where it calculates the actual elapsed time of a sleep command to detect if it is executed in the analysis environment. it then performs enumeration of running processes in the victim machine against a list of security tools, including network sniffers like…”
T1105Ingress Tool Transfer
72%
“to create the executable functions dynamically during the rat execution. the operation of cloudz utilizes its configuration data, which is embedded in the binary, as a resource that it decrypts and loads into memory during execution. the decrypted configuration data includes vari…”
T1055.001Dynamic-link Library Injection
63%
“bytes and performs bytewise xor decryption using the key hexadecimal ( 0xca ). if the decrypted payload is a. net assembly, the loader will reflectively run. otherwise, it writes the decrypted payload to the folder “ % temp % \ { guid } ” and runs it as a process. modular cloudz …”
T1053Scheduled Task/Job
58%
“silently overwrite any existing task with the same name, allowing the malware to update its persistence mechanism. the script configures the task scheduler action to run the. net loader by utilizing the living - off - the - land binary ( lolbin ) regasm. exe, which is the. net fr…”
T1497.001System Checks
52%
“- based evasion check, where it calculates the actual elapsed time of a sleep command to detect if it is executed in the analysis environment. it then performs enumeration of running processes in the victim machine against a list of security tools, including network sniffers like…”
T1071.001Web Protocols
49%
“address “ 185 [. ] 196 [. ] 10 [. ] 136 ” and port number 8089, establishing connections through tcp sockets. pivoting on the pastebin url indicator, we found that the attacker used the pastebin handler name “ hellohiall ” and hosted the secondary configuration data at several pa…”
T1053.002At
37%
“silently overwrite any existing task with the same name, allowing the malware to update its persistence mechanism. the script configures the task scheduler action to run the. net loader by utilizing the living - off - the - land binary ( lolbin ) regasm. exe, which is the. net fr…”
T1557.001Name Resolution Poisoning and SMB Relay
36%
“cloudz rat potentially steals otp messages using pheno plugin - cisco talos discovered an intrusion, active since at least january 2026, where an unknown attacker implanted a cloudz remote access tool ( rat ) and a previously undocumented plugin called “ pheno. ” - according to t…”

Summary

Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.”