{"id":6761,"date":"2026-05-06T10:48:10","date_gmt":"2026-05-06T10:48:10","guid":{"rendered":"https:\/\/delimiter.online\/blog\/cloudz-rat-credential-theft\/"},"modified":"2026-05-06T10:48:10","modified_gmt":"2026-05-06T10:48:10","slug":"cloudz-rat-credential-theft","status":"publish","type":"post","link":"https:\/\/delimiter.online\/blog\/cloudz-rat-credential-theft\/","title":{"rendered":"CloudZ RAT Malware Uses New Plugin to Steal Credentials and OTPs"},"content":{"rendered":"<p><a href=\"https:\/\/delimiter.online\/blog\/ai-service-security\/\" title=\"cybersecurity\">cybersecurity<\/a> researchers have disclosed details of a recent intrusion campaign that leverages a remote access tool known as CloudZ RAT alongside a previously undocumented plugin called Pheno. The operation is designed to facilitate the theft of sensitive login credentials and one-time passwords (OTPs).<\/p>\n<p>According to an analysis published by security firm Cyble, the threat actors deployed CloudZ RAT as their primary payload. The malware\u2019s core functionality was augmented by the Pheno plugin, which specifically targets credential harvesting. \u201cAccording to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims\u2019 credentials and potentially one-time passwords (OTPs),\u201d the researchers noted in their report.<\/p>\n<h2>Technical Details of the Campaign<\/h2>\n<p>The CloudZ RAT is a sophisticated remote access trojan that provides attackers with full control over an infected system. It is capable of executing remote commands, capturing keystrokes, and exfiltrating data. The addition of the Pheno plugin expands its capabilities by focusing on the extraction of passwords stored in web browsers, email clients, and other applications.<\/p>\n<p>One of the key features of the Pheno plugin is its ability to intercept OTPs. Researchers explained that the plugin monitors clipboard activity and browser sessions to capture verification codes sent via SMS or authenticator applications. This allows attackers to bypass two-factor authentication (2FA) protections on targeted accounts.<\/p>\n<p>The attack chain typically begins with a phishing email containing a malicious attachment or link. Once the victim opens the file or visits the link, the CloudZ RAT is downloaded and executed. The Pheno plugin is then loaded as a separate module to commence <a href=\"https:\/\/delimiter.online\/blog\/daemon-tools-supply-chain-attack\/\" title=\"credential theft\">credential theft<\/a> operations.<\/p>\n<h4><a href=\"https:\/\/delimiter.online\/blog\/whatsapp-web-calling\/\" title=\"Windows Phone Link\">Windows Phone Link<\/a> as an Attack Vector<\/h4>\n<p>Interestingly, the campaign has been observed exploiting the Windows Phone Link feature to gain initial access. Windows Phone Link allows users to connect their Android or iOS devices to a Windows PC for synchronization of messages, calls, and notifications. Threat actors have reportedly been using phishing pages that mimic legitimate Phone Link setup processes to trick users into granting permissions or downloading infected software.<\/p>\n<p>\u201cThe use of Windows Phone Link as a lure is a novel approach,\u201d the report stated. \u201cBy exploiting a trusted system integration, the attackers lower the victim\u2019s guard and increase the likelihood of successful infection.\u201d This technique underscores a growing trend where attackers abuse legitimate software features to achieve their malicious objectives.<\/p>\n<h2>Implications for User Security<\/h2>\n<p>The discovery of the Pheno plugin highlights the evolving nature of credential theft operations. As organizations and individuals increasingly rely on OTPs for account security, attackers are developing specialized tools to circumvent these measures. The ability to capture OTPs in real time poses a significant risk to online banking, email accounts, corporate VPNs, and other sensitive services.<\/p>\n<p>Researchers emphasized that users should remain vigilant against unsolicited emails or messages that request login credentials or prompt them to install software. Verifying the authenticity of communications, especially those related to system features like Windows Phone Link, is critical to prevent compromise.<\/p>\n<h4>Recommended Defensive Measures<\/h4>\n<p>To mitigate the risk of CloudZ RAT infections, cybersecurity experts recommend implementing multi-layered security controls. This includes deploying endpoint detection and response (EDR) solutions that can identify and block remote access tools. Regular security awareness training for employees can also help reduce the likelihood of falling for phishing attacks.<\/p>\n<p>Users are advised to enable hardware-based security keys (such as FIDO2 tokens) where possible, as these are resistant to OTP interception. Additionally, monitoring for unusual login attempts and enabling account recovery alerts can provide early warning signs of credential theft.<\/p>\n<p>The campaign is believed to be ongoing. While the exact scale of the operation remains unclear, the use of the CloudZ RAT and Pheno plugin suggests a targeted approach rather than broad, indiscriminate attacks. Security firms continue to track the infrastructure associated with this threat actor to identify further victims and new variants of the malware.<\/p>\n<p>Further updates from cybersecurity research teams are expected as more information on the technical capabilities of the Pheno plugin and the tactics employed by the attackers becomes available. Organizations are encouraged to review their current security posture and ensure that all systems are updated with the latest patches and threat intelligence feeds.<\/p>\n<p>Source: Delimiter<\/p>\n","protected":false},"excerpt":{"rendered":"<p>cybersecurity researchers have disclosed details of a recent intrusion campaign that leverages a remote access tool known as CloudZ RAT alongside a previously undocumented plugin called Pheno. The operation is designed to facilitate the theft of sensitive login credentials and one-time passwords (OTPs). According to an analysis published by security firm Cyble, the threat actors [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6762,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[505],"tags":[7950,2251,619,544,7951],"class_list":["post-6761","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-cloudz-rat","tag-credential-theft","tag-cybersecurity","tag-malware","tag-windows-phone-link"],"_links":{"self":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/6761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/comments?post=6761"}],"version-history":[{"count":0,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/6761\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media\/6762"}],"wp:attachment":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media?parent=6761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/categories?post=6761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/tags?post=6761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}