Deep Dive: How the CloudZ RAT Leverages Microsoft Phone Link for Mobile Data Exfiltration

In a sophisticated evolution of credential theft, a new modular Remote Access Trojan (RAT) known as CloudZ has surfaced, specifically targeting the bridge between Windows desktops and mobile devices.

Rather than attempting the difficult task of compromising a hardened smartphone directly, CloudZ hijacks the Microsoft Phone Link feature to intercept sensitive mobile data—including SMS-based One-Time Passwords (OTPs) and application notifications—directly from the host PC.

Microsoft Phone Link (formerly “Your Phone”) is a built-in utility designed to enhance productivity by mirroring Android or iOS notifications, SMS messages, and call logs to Windows 10 and 11. While convenient for users, this synchronization creates a high-value target for attackers. The application maintains local SQLite database files, such as PhoneExperiences-*.db, which store synchronized message histories and notification logs on the local disk.

According to a recent technical breakdown by Cisco Talos, CloudZ utilizes a specialized plugin named Pheno to weaponize this trusted synchronization channel, turning a user convenience into a stealthy surveillance vector.

The intrusion lifecycle typically begins with a deceptive initial access vector. Attackers deploy a fraudulent ScreenConnect update executable to trick users into granting elevated access. Once executed, the malware initiates a multi-stage deployment:

  • Stage 1: The Rust Loader: A 64-bit loader, compiled in Rust and disguised as systemupdates.exe or Windows-interactive-update.exe, is dropped onto the system. Analysis of the binary reveals a developer path string "rustextractor.pdb", helping researchers track its lineage.
  • Stage 2: The .NET Payload: The Rust loader decrypts and drops a .NET-based loader, masquerading as benign text files like update.txt or msupdate.txt within C:\ProgramData\Microsoft\windosDoc\. In some deployment scenarios, this payload is pulled dynamically from attacker-controlled infrastructure via curl, often utilizing Cloudflare Workers to mask the staging server’s true origin.
  • Stage 3: Persistence via LOLBins: To ensure it survives a reboot, a PowerShell script creates a scheduled task named "SystemWindowsApis". This task is configured to run under the SYSTEM account, abusing regasm.exe (a legitimate Microsoft tool, or “Living off the Land Binary”) to launch the .NET loader with maximum privileges.
Excerpt of the .NET loader binary with detection evasion instructions (Source : Cisco talos).
Excerpt of the .NET loader binary highlighting various detection evasion instructions (Source: Cisco Talos).

To evade modern security orchestration, the .NET loader performs rigorous anti-analysis checks. It utilizes timing-based “sleep” validation to detect sandboxes, scans for debugging tools like Wireshark, Fiddler, Procmon, and Sysmon, and inspects hardware signatures to identify virtualized environments. Only after passing these checks does it reconstruct large hexadecimal blobs, decrypt them using a XOR key, and reflectively load its primary modules into memory.

CloudZ: A Modular Command & Control Engine

At its core, CloudZ is a highly sophisticated, ConfuserEx-obfuscated .NET RAT. It is designed for extreme modularity, allowing operators to deploy specific plugins like Pheno on demand. To frustrate reverse engineers, CloudZ avoids writing much logic to the disk; instead, it uses the .NET DynamicMethod and ILGenerator APIs to execute its logic dynamically within the system’s memory.

CloudZ function that downloads the secondary configuration data from the staging server (Source : Cisco talos).
CloudZ function responsible for retrieving secondary configuration data from the attacker’s staging server (Source: Cisco Talos).

The RAT’s configuration provides a comprehensive toolkit for attackers, including:

  • Browser credential and cookie theft.
  • Remote shell execution and file management.
  • Real-time screen recording.
  • Encrypted C2 communication using rotating User-Agent strings and strict anti-caching HTTP headers to blend into standard web traffic.

The Pheno Plugin: Hijacking the Mobile-to-PC Bridge

The Pheno plugin is the specialized component that enables the interception of mobile data. Its operation follows a calculated reconnaissance workflow:

  1. Process Monitoring: Pheno scans the system for active Phone Link processes, specifically targeting YourPhone, PhoneExperienceHost, and Link to Windows. It logs these findings to local files (e.g., phonelink-[computername].txt) in the ProgramData or Temp directories.
  2. Relay Identification: The plugin parses these logs for the keyword “proxy.” This keyword indicates the presence of the local proxy channel used by Microsoft to relay traffic between the PC and the paired smartphone.
  3. Target Verification: If the “proxy” keyword is identified, Pheno marks the system as “Maybe connected.” This alerts the attacker that an active, real-time stream of SMS and notification data is likely being cached in the local SQLite databases.
Pheno checking for a previous instance of PC-to-phone bridge through Phone Link application(Source : Cisco talos).
Pheno scanning for evidence of a previous or active PC-to-phone bridge via the Phone Link application (Source: Cisco Talos).

Once the target is confirmed, CloudZ exfiltrates the Phone Link artifacts and SQLite databases to the attacker’s C2 server. This gives the adversary a direct window into the user’s authentication flow, allowing them to intercept the very codes intended to protect their enterprise accounts—all without ever needing to touch the mobile device itself.

Related Articles

Back to top button