← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - CloudZ RAT potentially steals OTP messages using Pheno plugin
WHITE celestre 2026-05-13 Modified: 2026-05-13
16
IOCs
MEDIUM VOLUME
Windows Phone Link (formerly "Your Phone") is a synchronization tool developed by Microsoft and built directly into Windows 10 and 11 that bridges a PC and a smartphone (Android or iPhone). By establishing a secure connection via Wi-Fi and Bluetooth, the application mirrors essential phone activities (such as application notifications and SMS messages) onto the computer screen, reducing the user’s need to physically interact with the mobile device while working on the computer. The Phone Link application writes synchronized phone data such as SMS messages, call logs, and the application notification history to the Windows PC in the application’s SQLite database file.
linkyour phonealienvaultiocmicrosoft phonehuntinglocalappdatarusty droppercloudz ratplugin pheno
Indicators of Compromise (16)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 02545a4560e0cd6662d1061973244f18 MD5 of 33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98 2026-05-13
FileHash-MD5 719fead8f2408fa00998f245a0bb11c3 MD5 of 24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54 2026-05-13
FileHash-MD5 a39299719bb4151c373a0e9b92b2bd05 MD5 of 5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321 2026-05-13
FileHash-MD5 cdc678b4ad968121fbaaf8e04511cef3 MD5 of 65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac 2026-05-13
FileHash-MD5 d6e5f9733d4c0313125d1700dc0e3746 MD5 of ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832 2026-05-13
FileHash-SHA1 2f22b98ef31e5f31d9e3c8f27a5f1f22be89612d SHA1 of 65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac 2026-05-13
FileHash-SHA1 626f47a22a7edc79eb4e3f936189958e0ce7a91d SHA1 of ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832 2026-05-13
FileHash-SHA1 706d490a7e0d745c60906ff80ada9447d57234fa SHA1 of 33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98 2026-05-13
FileHash-SHA1 be543469fff6ad13a1dcccca4dcb7b987120bedf SHA1 of 24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54 2026-05-13
FileHash-SHA1 e3ef02456a4df8236da5ee2082a5df36e746b463 SHA1 of 5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321 2026-05-13
FileHash-SHA256 24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54 2026-05-13
FileHash-SHA256 33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98 2026-05-13
FileHash-SHA256 5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321 2026-05-13
FileHash-SHA256 65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac 2026-05-13
FileHash-SHA256 ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832 2026-05-13
IPv4 185.196.10.136 CC=CH ASN=AS42624 simple carrier llc 2026-05-13
References (1)
↗ https://blog.talosintelligence.com/cloudz-pheno-infostealer/