CloudZ RAT potentially steals OTP messages using Pheno plugin

Cisco Talos uncovered an intrusion active since January 2026 where attackers deployed CloudZ remote access tool and an undocumented plugin called Pheno to steal credentials and one-time passwords. The attack exploits Microsoft Phone Link application by intercepting synchronized mobile data including SMS and OTPs without requiring phone-level infection. CloudZ evades detection through dynamic memory execution and anti-analysis checks. The infection chain begins with a fake ScreenConnect update executable, leading to a Rust-compiled dropper that deploys a .NET loader, ultimately establishing the modular CloudZ RAT. The Pheno plugin monitors Phone Link processes and intercepts SQLite database files containing synchronized phone data. CloudZ employs ConfuserEx obfuscation, multiple configuration layers, and facilitates various commands including browser data exfiltration, shell execution, and plugin management while maintaining persistence through scheduled tasks.

Pulse ID: 69f9f99cd352da334850ef13
Pulse Link: https://otx.alienvault.com/pulse/69f9f99cd352da334850ef13
Pulse Author: AlienVault
Created: 2026-05-05 14:07:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cisco #Cloud #CyberSecurity #InfoSec #Microsoft #NET #OTX #OpenThreatExchange #Password #Passwords #RAT #RCE #Rust #SMS #SQL #ScreenConnect #Talos #Word #bot #AlienVault

CISA Flags Actively Exploited ConnectWise, Windows Flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) has flagged two major vulnerabilities, including a critical flaw in ConnectWise ScreenConnect and a Microsoft Windows Shell bug, as actively exploited by hackers. These flaws could allow attackers to execute remote code, access confidential data, and compromise critical systems.

https://osintsights.com/cisa-flags-actively-exploited-connectwise-windows-flaws?utm_source=mastodon&utm_medium=social

#Cve20241708 #Cve202632202 #Windows #Connectwise #Screenconnect

CVE Alert: CVE-2024-1708 - ConnectWise - ScreenConnect - https://www.redpacketsecurity.com/cve-alert-cve-2024-1708-connectwise-screenconnect/

#OSINT #ThreatIntel #CyberSecurity #cve-2024-1708 #connectwise #screenconnect

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

Pulse ID: 69eaf8302d013c66b8a8493c
Pulse Link: https://otx.alienvault.com/pulse/69eaf8302d013c66b8a8493c
Pulse Author: Tr1sa111
Created: 2026-04-24 04:57:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #ScreenConnect #bot #Tr1sa111

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harvesting tool named password.exe. The attackers also exploited the ms-phone URI handler to launch the Phone Link application, attempting to socially engineer victims into linking their mobile devices to potentially capture notifications, authentication prompts, and sensitive information. The attack demonstrates a multi-stage compromise focusing on persistence establishment, credential theft, and preparation for potential lateral movement across the victim's network infrastructure.

Pulse ID: 69e9d7f4b00e56e9ebb52338
Pulse Link: https://otx.alienvault.com/pulse/69e9d7f4b00e56e9ebb52338
Pulse Author: AlienVault
Created: 2026-04-23 08:27:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Password #Phishing #RAT #ScreenConnect #Word #bot #AlienVault

Dissecting FudCrypt: A Real-World Malware Crypting Service Analysis

FudCrypt is a Cryptor-as-a-Service platform offering subscription-based malware obfuscation for $800 to $2,000 monthly. The service wraps customer payloads in multi-stage deployment packages featuring DLL sideloading, AMSI and ETW interference, silent UAC elevation via CMSTPLUA, and Windows Defender tampering through Group Policy. Analysis of recovered server infrastructure revealed 200 registered users, 334 builds, and comprehensive fleet C2 command history across 32 enrolled agents. The operator maintains a separate signing infrastructure using four Azure Trusted Signing accounts to sign operator-controlled binaries including fleet agents, native loaders, and ScreenConnect installers. The platform employs 20 undocumented DLL sideload carrier profiles, per-build polymorphic encryption with layered XOR-32, RC4-16, and custom S-box transforms, and an advanced development branch featuring indirect syscalls, module stomping, fiber-based execution, and Ekko sleep obfuscation. Server infrastructure included exp...

Pulse ID: 69e8c2ea19756cc9d2899dea
Pulse Link: https://otx.alienvault.com/pulse/69e8c2ea19756cc9d2899dea
Pulse Author: AlienVault
Created: 2026-04-22 12:45:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #CyberSecurity #Encryption #InfoSec #LUA #Malware #OTX #OpenThreatExchange #RAT #Rust #ScreenConnect #SideLoading #Troll #Windows #bot #AlienVault

Uptick in Bomgar RMM Exploitation

Since early April 2026, security researchers have observed a significant increase in attacks targeting Bomgar remote monitoring and management instances, exploiting CVE-2026-1731, a critical vulnerability disclosed in February. Threat actors have compromised Bomgar RMM to target downstream customers of MSPs and other service providers, affecting over 78 businesses in one incident alone. Attackers deploy LockBit ransomware, create privileged administrator accounts for persistence, install additional remote access tools like AnyDesk and ScreenConnect, and conduct domain reconnaissance. Some incidents involved attempts to disable security tools using BYOVD techniques. The attacks primarily target organizations running outdated Bomgar versions vulnerable to remote code execution, with compromised instances belonging to dental software companies and MSPs enabling widespread impact across their customer bases.

Pulse ID: 69e2bfe152d44136b3c83ec3
Pulse Link: https://otx.alienvault.com/pulse/69e2bfe152d44136b3c83ec3
Pulse Author: AlienVault
Created: 2026-04-17 23:18:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #CyberSecurity #InfoSec #LockBit #OTX #OpenThreatExchange #RAT #RansomWare #RemoteCodeExecution #ScreenConnect #Vulnerability #bot #AlienVault

SEO Poisoning Attack Abuses Microsoft Signed Binary for RMM Tool Installation

SEO poisoning campaign has discovered impersonating legitimate open source data recovery tool named TestDisk. It silently installs ScreenConnect remote monitoring and management client to gain command execution, file transfer and lateral movement in the network.

Pulse ID: 69e4d8e980b032626e88ccd8
Pulse Link: https://otx.alienvault.com/pulse/69e4d8e980b032626e88ccd8
Pulse Author: cryptocti
Created: 2026-04-19 13:30:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #RCE #SEOPoisoning #ScreenConnect #bot #cryptocti