Cisco Talos researchers uncovered an active intrusion campaign, running since at least January 2026, in which an unidentified attacker deployed the CloudZ remote access trojan alongside a newly discovered plugin called 'Pheno' — a tool not previously documented by the security community.