CloudZ Malware Abuses Microsoft Phone Link to Steal SMS and OTPs
A sophisticated new malware campaign is abusing the Microsoft Phone Link application to intercept SMS-based authentication codes and credentials from Windows PCs.
A newly identified campaign is leveraging a malicious plugin called "Pheno" to hijack the Microsoft Phone Link application on Windows 10 and 11, allowing attackers to steal SMS messages and one-time passwords (OTPs) directly from a victim's computer. Researchers at Cisco Talos discovered the activity, which has been ongoing since at least January 2026, involving the deployment of the CloudZ remote access tool (RAT) Cisco Talos.
The attack chain begins with the execution of a fake ScreenConnect update, which drops a Rust-based loader onto the target system. This loader subsequently deploys a .NET-based component that installs the CloudZ RAT and establishes persistence via a scheduled task BleepingComputer. To evade detection, the malware performs environment checks to identify and avoid debuggers, sandboxes, and analysis tools like Wireshark, Fiddler, and Sysmon Cisco Talos.
Once active, the CloudZ RAT utilizes the Pheno plugin to monitor for active sessions of Microsoft Phone Link, a legitimate utility that mirrors mobile notifications and SMS messages to a Windows PC. Because Phone Link stores synchronized data—including SMS logs and notification history—in a local SQLite database, the Pheno plugin can access this file to exfiltrate sensitive information without ever needing to compromise the mobile device itself Cisco Talos.
The stolen data is written to a staging folder on the victim's machine before being exfiltrated to the attacker's command-and-control (C2) server. In addition to the Pheno plugin, CloudZ provides the threat actor with broad control over the infected system, including the ability to perform file management, execute shell commands, record the screen, and exfiltrate browser-stored credentials BleepingComputer.
To maintain stealth, CloudZ employs anti-caching headers in its HTTP traffic and rotates between three hardcoded user-agent strings to mimic legitimate browser requests BleepingComputer. Cisco Talos has released a comprehensive set of indicators of compromise (IOCs), including malicious hashes, domains, and IP addresses, to assist defenders in identifying and blocking this activity Cisco Talos.
Security experts recommend that users move away from SMS-based OTPs, which are vulnerable to interception, in favor of authenticator applications that do not rely on push notifications or, ideally, phishing-resistant hardware security keys BleepingComputer.
This campaign highlights a growing trend of attackers targeting the synchronization bridges between mobile devices and desktop environments. By exploiting the convenience of tools like Phone Link, adversaries can bypass traditional mobile security controls by focusing their efforts on the less-protected desktop environment where the data is mirrored. Cisco Talos BleepingComputer.