Deep Dive: How the CloudZ RAT Leverages Microsoft Phone Link for Mobile Data Exfiltration
In a sophisticated evolution of credential theft, a new modular Remote Access Trojan (RAT) known as CloudZ has surfaced, specifically targeting the bridge between Windows desktops and mobile devices.
Rather than attempting the difficult task of compromising a hardened smartphone directly, CloudZ hijacks the Microsoft Phone Link feature to intercept sensitive mobile data—including SMS-based One-Time Passwords (OTPs) and application notifications—directly from the host PC.
Microsoft Phone Link (formerly “Your Phone”) is a built-in utility designed to enhance productivity by mirroring Android or iOS notifications, SMS messages, and call logs to Windows 10 and 11. While convenient for users, this synchronization creates a high-value target for attackers. The application maintains local SQLite database files, such as PhoneExperiences-*.db, which store synchronized message histories and notification logs on the local disk.
According to a recent technical breakdown by Cisco Talos, CloudZ utilizes a specialized plugin named Pheno to weaponize this trusted synchronization channel, turning a user convenience into a stealthy surveillance vector.
The Infection Chain: From Fake Updates to Persistence
The intrusion lifecycle typically begins with a deceptive initial access vector. Attackers deploy a fraudulent ScreenConnect update executable to trick users into granting elevated access. Once executed, the malware initiates a multi-stage deployment:
- Stage 1: The Rust Loader: A 64-bit loader, compiled in Rust and disguised as
systemupdates.exeorWindows-interactive-update.exe, is dropped onto the system. Analysis of the binary reveals a developer path string"rustextractor.pdb", helping researchers track its lineage. - Stage 2: The .NET Payload: The Rust loader decrypts and drops a .NET-based loader, masquerading as benign text files like
update.txtormsupdate.txtwithinC:\ProgramData\Microsoft\windosDoc\. In some deployment scenarios, this payload is pulled dynamically from attacker-controlled infrastructure viacurl, often utilizing Cloudflare Workers to mask the staging server’s true origin. - Stage 3: Persistence via LOLBins: To ensure it survives a reboot, a PowerShell script creates a scheduled task named
"SystemWindowsApis". This task is configured to run under the SYSTEM account, abusingregasm.exe(a legitimate Microsoft tool, or “Living off the Land Binary”) to launch the .NET loader with maximum privileges.

To evade modern security orchestration, the .NET loader performs rigorous anti-analysis checks. It utilizes timing-based “sleep” validation to detect sandboxes, scans for debugging tools like Wireshark, Fiddler, Procmon, and Sysmon, and inspects hardware signatures to identify virtualized environments. Only after passing these checks does it reconstruct large hexadecimal blobs, decrypt them using a XOR key, and reflectively load its primary modules into memory.
CloudZ: A Modular Command & Control Engine
At its core, CloudZ is a highly sophisticated, ConfuserEx-obfuscated .NET RAT. It is designed for extreme modularity, allowing operators to deploy specific plugins like Pheno on demand. To frustrate reverse engineers, CloudZ avoids writing much logic to the disk; instead, it uses the .NET DynamicMethod and ILGenerator APIs to execute its logic dynamically within the system’s memory.

The RAT’s configuration provides a comprehensive toolkit for attackers, including:
- Browser credential and cookie theft.
- Remote shell execution and file management.
- Real-time screen recording.
- Encrypted C2 communication using rotating User-Agent strings and strict anti-caching HTTP headers to blend into standard web traffic.
The Pheno Plugin: Hijacking the Mobile-to-PC Bridge
The Pheno plugin is the specialized component that enables the interception of mobile data. Its operation follows a calculated reconnaissance workflow:
- Process Monitoring: Pheno scans the system for active Phone Link processes, specifically targeting
YourPhone,PhoneExperienceHost, andLink to Windows. It logs these findings to local files (e.g.,phonelink-[computername].txt) in theProgramDataorTempdirectories. - Relay Identification: The plugin parses these logs for the keyword “proxy.” This keyword indicates the presence of the local proxy channel used by Microsoft to relay traffic between the PC and the paired smartphone.
- Target Verification: If the “proxy” keyword is identified, Pheno marks the system as “Maybe connected.” This alerts the attacker that an active, real-time stream of SMS and notification data is likely being cached in the local SQLite databases.

Once the target is confirmed, CloudZ exfiltrates the Phone Link artifacts and SQLite databases to the attacker’s C2 server. This gives the adversary a direct window into the user’s authentication flow, allowing them to intercept the very codes intended to protect their enterprise accounts—all without ever needing to touch the mobile device itself.