← All stories

The Hacker News

Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs

[email protected] (The Hacker News) · 2 hours ago · Read original ↗

ATT&CK techniques detected

6 predictions

T1053.005Scheduled Task

89%

“the initial dropper also makes use of an embedded powershell script to establish persistence by setting up a scheduled task that runs the malicious. net loader. the intermediate loader is designed to run hardware and environment checks to evade detection and deploy the modular cl…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.001PowerShell

75%

“the initial dropper also makes use of an embedded powershell script to establish persistence by setting up a scheduled task that runs the malicious. net loader. the intermediate loader is designed to run hardware and environment checks to evade detection and deploy the modular cl…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.002Spearphishing Link

58%

“windows phone link exploited by cloudz rat to steal credentials and otps cybersecurity researchers have disclosed details of an intrusion that involved the use of a cloudz remote access tool ( rat ) and a previous undocumented plugin dubbed pheno with the aim of facilitating cred…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1111Multi-Factor Authentication Interception

42%

“windows phone link exploited by cloudz rat to steal credentials and otps cybersecurity researchers have disclosed details of an intrusion that involved the use of a cloudz remote access tool ( rat ) and a previous undocumented plugin dubbed pheno with the aim of facilitating cred…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1053Scheduled Task/Job

33%

“the initial dropper also makes use of an embedded powershell script to establish persistence by setting up a scheduled task that runs the malicious. net loader. the intermediate loader is designed to run hardware and environment checks to evade detection and deploy the modular cl…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.002Spearphishing Link

33%

“and help bypass two - factor authentication. what ' s more, it obviates the need to compromise the mobile device itself. the malware, per the cybersecurity company, has been put to use as part of an intrusion that ' s been active since at least january 2026. the activity has not …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool (RAT) and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft. "According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims' credentials and potentially one-time passwords (OTPs),"