CloudZ RAT potentially steals OTP messages using Pheno plugin (opens in new tab)

Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.”