Attackers are deploying CloudZ RAT alongside a new plugin called Pheno in targeted campaigns designed to compromise Windows software that bridges PCs and smartphones, with tactics specifically engineered to evade detection.

Cisco Talos researchers uncovered an active intrusion campaign, running since at least January 2026, in which an unidentified attacker deployed the CloudZ remote access trojan alongside a newly discovered plugin called 'Pheno' — a tool not previously documented by the security community.

Cybersecurity researchers have published details of an intrusion campaign that deployed the CloudZ remote access tool (RAT) and a previously unknown plugin named Pheno, both designed to steal user credentials and one-time passwords from victims.