VYPR
researchPublished May 8, 2026· Updated May 17, 2026· 1 source

New 'CloudZ' Malware Campaign Targets Microsoft Phone Link to Intercept OTPs

Cisco Talos researchers have uncovered a new modular malware campaign that exploits the Microsoft Phone Link application to steal one-time passwords and SMS messages from compromised Windows PCs.

A new modular malware campaign has been identified by Cisco Talos that specifically targets the Microsoft Phone Link application to intercept sensitive communications. The campaign utilizes a remote access tool known as CloudZ, which includes a specialized plugin called Pheno designed to extract one-time passwords (OTPs) and SMS messages from the host machine SecurityWeek.

The technical mechanism behind this threat involves the exploitation of synchronized data stored on the host PC. The Pheno plugin specifically targets the SQLite databases used by the Microsoft Phone Link application to synchronize data between a user's smartphone and their Windows computer. By accessing these databases, the malware can successfully harvest OTPs and SMS messages, which are often used for multi-factor authentication SecurityWeek.

To evade detection, the infection chain employs sophisticated techniques. The malware utilizes a Rust-compiled loader to initiate the attack, followed by reflective .NET execution. This approach allows the malicious code to run in memory, bypassing traditional file-based security mechanisms that might otherwise flag the activity SecurityWeek.

The emergence of this campaign highlights a growing trend of attackers focusing on the synchronization points between mobile and desktop environments. By compromising the Phone Link application, threat actors can gain access to critical authentication tokens that would otherwise be protected by the user's mobile device security. This allows attackers to bypass secondary authentication layers, potentially leading to unauthorized account access and data theft SecurityWeek.

As of the current reporting, there are no specific details regarding widespread public impact or specific threat actor attribution. However, the use of modular malware like CloudZ and the development of targeted plugins like Pheno suggest a well-resourced operation focused on credential harvesting. Users are encouraged to monitor their system for unauthorized remote access tools and to remain vigilant against suspicious activity involving their synchronized mobile data SecurityWeek.

This campaign fits into a broader pattern of increasingly sophisticated malware designed to exploit legitimate software features for malicious purposes. As attackers continue to refine their methods for bypassing security controls, the focus on inter-device communication channels—such as those used by phone-to-PC synchronization tools—represents a significant and evolving threat vector that requires ongoing attention from security researchers and end-users alike SecurityWeek.

Synthesized by Vypr AI