A recent Cisco Talos analysis reveals the evolution of two emerging threats: CloudZ and Pheno, malware families designed specifically to steal sensitive information, with an increasing focus on cloud service credentials.
Modern malware with clear objectives: data and accessSo-called infostealers do not aim to destroy systems or encrypt files like ransomware. Their purpose is quieter and more strategic: to collect credentials, tokens, and personal data that can then be sold or used in subsequent attacks.
CloudZ and Pheno represent this new generation of threats, with expanded capabilities and greater adaptability.
How do CloudZ and Pheno work?The report describes typical operation in several phases:
1. Initial Infection
The malware is typically distributed through:
- Fraudulent downloads (pirate software, cracks)
- Malicious attachments
- Compromised websites
2. Data Collection
Once inside the system, the infostealer begins to extract information from multiple sources:
- Web browsers (saved passwords, cookies)
- Messaging applications
- Cryptocurrency wallets
- Authentication tokens
- API keys and cloud credentials
3. Exfiltration
The stolen data is sent to attacker-controlled servers, often encrypted to avoid detection.
4. Monetization
The information is sold on underground forums or used to compromise additional accounts.
Cloud focus: the new priority targetOne of the most concerning features of CloudZ and Pheno is their orientation toward cloud services.
Attackers specifically seek:
- Amazon Web Services credentials
- Microsoft Azure access
- Google Cloud tokens
- API keys used by developers
This shift reflects the growing importance of the cloud in enterprise and personal infrastructures.
Highlighted technical capabilitiesThe Cisco Talos report emphasizes several advanced capabilities:
- Detection Evasion: techniques to evade traditional antivirus
- Modularity: ability to add new functions based on the objective
- Limited Persistence: some infostealers prioritize speed over permanence
- Wide Compatibility: function in multiple environments and applications
Stealing credentials can trigger serious consequences:
- Unauthorized access to personal and corporate accounts
- Compromise of entire cloud infrastructures
- Theft of sensitive data or intellectual property
- Use of compromised accounts for additional attacks
In many cases, the impact extends far beyond the initial device.
Indicators of infectionSome signs that may indicate the presence of an infostealer include:
- Unusual activity in online accounts
- Logins from unknown locations
- Unexpected resource consumption in cloud services
- Security alerts in browsers or platforms
For users:
- Avoid downloading software from untrusted sources
- Use multi-factor authentication (MFA)
- Do not save sensitive passwords in browsers
- Keep systems updated
For businesses:
- Monitor access to cloud services
- Rotate API keys regularly
- Implement EDR solutions
- Apply security policies on endpoints
The rise of infostealers like CloudZ and Pheno confirms a clear trend: attackers are prioritizing access to digital identities and cloud services over destructive attacks.
In a world where credentials are the new currency, protecting them has become an absolute priority.