CloudZ RAT Exploits Windows Phone Link to Intercept OTPs and Credentials
Threat actors are leveraging a custom plugin called Pheno to hijack the Microsoft Phone Link application, allowing them to steal SMS messages and OTPs directly from Windows PCs without compromising the user's mobile device.

Cybersecurity researchers have uncovered a sophisticated campaign utilizing the CloudZ remote access trojan (RAT) to hijack the Microsoft Phone Link application on Windows 10 and 11 systems. By deploying a custom-built plugin named "Pheno," attackers are able to monitor active Phone Link processes and exfiltrate sensitive mobile data, including SMS messages and one-time passwords (OTPs), directly from the host computer The Hacker News.
The attack chain begins with an unidentified initial access vector, which threat actors use to drop a malicious executable disguised as ConnectWise ScreenConnect. This dropper executes a .NET loader, which utilizes a PowerShell script to establish persistence via a scheduled task. Once active, the loader performs environment checks to evade detection before deploying the modular CloudZ trojan. The trojan then establishes an encrypted connection to a command-and-control (C2) server to receive Base64-encoded instructions The Hacker News.
The core of the intrusion relies on the Pheno plugin, which is specifically designed to interact with the Phone Link application. Phone Link, a legitimate feature that syncs Android or iOS devices with Windows PCs, stores synchronized data—such as messages and notifications—in a local SQLite database. Pheno performs reconnaissance on this application and writes the gathered data to a staging folder at C:\ProgramData\Microsoft\whealth\, from which the CloudZ RAT exfiltrates the information to the C2 server The Hacker News.
This method is particularly dangerous because it allows attackers to bypass two-factor authentication by intercepting OTPs without ever needing to compromise the mobile device itself. By targeting the PC-to-phone bridge, the attackers gain access to mobile data through the already-authenticated connection between the phone and the computer The Hacker News.
The campaign has been active since at least January 2026, according to analysis from Cisco Talos researchers Alex Karkins and Chetan Raghuprasad. While the researchers have documented the extensive capabilities of the CloudZ RAT—which includes screen recording, browser data exfiltration, and file management—the threat actors behind this activity remain unidentified The Hacker News.
This incident highlights a growing trend where attackers exploit legitimate cross-device synchronization features to gain unauthorized access to sensitive information. As users increasingly rely on features that bridge mobile and desktop environments, these integrations create new, unintended attack surfaces. Organizations and users should remain vigilant for unauthorized scheduled tasks and suspicious processes, particularly those masquerading as legitimate remote management software like ScreenConnect The Hacker News.