CloudZ RAT potentially steals OTP messages using Pheno plugin

Cisco Talos reports an active intrusion (observed since at least January 2026) in which attackers deployed a modular .NET RAT named CloudZ and a Pheno plugin that monitors and abuses the Windows Phone Link application to exfiltrate browser credentials and potentially SMS/OTP messages; the intrusion chain involves a Rust-compiled dropper, an embedded .NET loader that performs evasion and establishes persistence via a scheduled task using regasm.exe, and C2/staging infrastructure hosted on Pastebin and worker domains, with IOCs and detection signatures provided.