CloudZ RAT Hijacks Microsoft Phone Link to Steal SMS OTPs from Windows Endpoints
Cisco Talos has uncovered a Windows malware toolkit, CloudZ RAT and its Pheno plugin, that steals SMS one-time passwords by reading synced data from Microsoft Phone Link's local database, bypassing the need to compromise the victim's phone.
A Windows malware toolkit has been observed stealing SMS messages and one-time passwords (OTPs) from victim machines by hijacking Microsoft's Phone Link application, sidestepping the need to directly compromise a target's mobile device. The activity has been ongoing since at least January 2026, according to new analysis from Cisco Talos researchers. At the heart of the operation are a remote access tool (RAT) called CloudZ and a previously undocumented plugin named Pheno. The tools work together to harvest credentials and intercept authentication codes synced from a paired smartphone.
Microsoft Phone Link, formerly known as Your Phone, is built into Windows 10 and 11 and mirrors smartphone notifications, SMS messages and call logs onto the desktop over Wi-Fi and Bluetooth. Synchronized data is written to local SQLite database files on the PC, including one named PhoneExperiences-*.db. Cisco Talos said this design allowed attackers to capture mobile content from the endpoint without ever touching the phone.
The Pheno plugin continuously scans running processes for keywords associated with Phone Link, such as YourPhone, PhoneExperienceHost and Link to Windows. When a match is found, it logs the process details to staging folders and then checks the output for the string "proxy", which indicates the local relay used by an active Phone Link session. If a live session is confirmed, Pheno tags the system as "Maybe connected", flagging it for follow-on data collection by the operator.
The observed infection chain began with the execution of a fake ScreenConnect update, the initial access vector for which remains unknown at the time of writing. A Rust-compiled loader, using filenames such as systemupdates.exe, dropped a .NET loader disguised as a text file, which then deployed CloudZ via the legitimate regasm.exe binary. The latter was scheduled to run at system startup under the SYSTEM account.
CloudZ itself is a .NET executable obfuscated with ConfuserEx and compiled in mid-January 2026. Talos observed multiple anti-analysis layers, including timing-based sleep checks, enumeration of security tools such as Wireshark, Procmon and Sysmon and searches for virtual machine indicators in the system path and hostname. The RAT pulls secondary configuration from attacker-controlled staging servers and Pastebin pages, rotates through three hardcoded user-agent strings to blend HTTP traffic with legitimate browser activity, and supports commands ranging from credential exfiltration to plugin loading and screen recording.
The technique shifts the risk surface for SMS-based multi-factor authentication (MFA) from the phone to the enterprise-managed Windows endpoint, undermining controls focused solely on mobile device security. Organizations that rely on SMS OTPs as a second factor may find that endpoint hardening and monitoring for Phone Link database access become critical defensive measures. Cisco Talos has published indicators of compromise for the threat, along with ClamAV signatures, to help defenders detect and block the activity.
Cisco Talos researchers confirmed that the campaign, active since January 2026, begins with a fake ScreenConnect update that deploys the CloudZ RAT, which then downloads the Pheno plugin to scan for active Phone Link processes and exfiltrate the app's SQLite database containing SMS and OTP data. While no successful data exfiltration has been confirmed, the Pastebin staging URLs remain active, indicating ongoing attacks. The researchers recommend disabling Phone Link if not needed and monitoring for regasm.exe execution with unusual arguments as indicators of compromise.