CloudZ RAT abuses Microsoft Phone Link via Pheno plugin for credential and OTP theft
Summary
Hide ▲
Show ▼
Since at least January 2026, threat actors have abused the CloudZ RAT and custom Pheno plugin to hijack Microsoft Phone Link on Windows hosts, enabling credential and OTP theft by intercepting synchronized mobile data without mobile device compromise. The attack chain begins with a fake ScreenConnect executable delivering a Rust-compiled loader that deploys CloudZ via regasm.exe, establishing persistence via a scheduled task under the SYSTEM account. CloudZ includes 20+ commands for data theft and system control, while the Pheno plugin scans for active Phone Link sessions to harvest synchronized content from SQLite databases like PhoneExperiences-*.db. Cisco Talos has published IOCs and ClamAV signatures to aid detection. The intrusion leverages Phone Link’s desktop synchronization of SMS, call logs, and notifications over Wi-Fi/Bluetooth, exposing a critical gap in MFA defenses that focus solely on mobile endpoints. The malware employs anti-analysis techniques and retrieves secondary configuration from staging servers and Pastebin, rotating user-agent strings to blend with legitimate traffic. No attribution to a known threat actor has been made.
Timeline
-
06.05.2026 11:34 2 articles · 1d ago
CloudZ RAT with Pheno plugin abuses Microsoft Phone Link for credential and OTP theft since January 2026
Additional technical details emerge about CloudZ’s operational mechanics and Pheno’s behavior. Pheno scans Windows processes for Phone Link-related keywords (e.g., YourPhone, PhoneExperienceHost, Link to Windows) and confirms live Phone Link sessions by detecting the local proxy relay, tagging systems for follow-on data collection. CloudZ, compiled in mid-January 2026 and obfuscated with ConfuserEx, employs anti-analysis layers including timing-based sleep checks, enumeration of security tools (Wireshark, Procmon, Sysmon), and VM indicators in system path/hostname. The RAT retrieves secondary configuration from attacker-controlled staging servers and Pastebin, rotates through three hardcoded user-agent strings to blend HTTP traffic, and supports commands for credential exfiltration, plugin management, and screen recording. Cisco Talos has published IOCs and ClamAV signatures to assist defenders in detecting and blocking the activity.
Show sources
- Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs — thehackernews.com — 06.05.2026 11:34
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs — www.infosecurity-magazine.com — 06.05.2026 18:00
Information Snippets
-
CloudZ RAT uses a custom Pheno plugin to hijack the Microsoft Phone Link application, enabling monitoring of synchronized mobile data including SMS and OTPs directly from the Windows host.
First reported: 06.05.2026 11:342 sources, 2 articlesShow sources
- Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs — thehackernews.com — 06.05.2026 11:34
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs — www.infosecurity-magazine.com — 06.05.2026 18:00
-
Phone Link is a built-in Windows feature (Windows 10/11) that synchronizes data between a PC and mobile device via Wi-Fi/Bluetooth to enable calls, messages, and notifications management.
First reported: 06.05.2026 11:342 sources, 2 articlesShow sources
- Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs — thehackernews.com — 06.05.2026 11:34
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs — www.infosecurity-magazine.com — 06.05.2026 18:00
-
Initial access was achieved via an undocumented method delivering a fake ConnectWise ScreenConnect executable, which acts as a downloader for a .NET-based loader.
First reported: 06.05.2026 11:341 source, 1 articleShow sources
- Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs — thehackernews.com — 06.05.2026 11:34
-
The loader establishes persistence via a scheduled task and performs hardware/environment checks before deploying the modular CloudZ trojan.
First reported: 06.05.2026 11:341 source, 1 articleShow sources
- Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs — thehackernews.com — 06.05.2026 11:34
-
CloudZ trojan supports 20+ commands including credential exfiltration, browser data collection, Phone Link recon, plugin management, file operations, screen recording, and C2 communication.
First reported: 06.05.2026 11:342 sources, 2 articlesShow sources
- Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs — thehackernews.com — 06.05.2026 11:34
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs — www.infosecurity-magazine.com — 06.05.2026 18:00
-
Pheno plugin performs reconnaissance on the Phone Link application, writes data to a staging folder, and CloudZ exfiltrates this data to its C2 server for further exploitation.
First reported: 06.05.2026 11:342 sources, 2 articlesShow sources
- Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs — thehackernews.com — 06.05.2026 11:34
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs — www.infosecurity-magazine.com — 06.05.2026 18:00
-
Intrusion activity has been observed since at least January 2026, with no public attribution to a known threat actor or group.
First reported: 06.05.2026 11:342 sources, 2 articlesShow sources
- Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs — thehackernews.com — 06.05.2026 11:34
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs — www.infosecurity-magazine.com — 06.05.2026 18:00
-
CloudZ RAT’s Pheno plugin scans running processes for Phone Link-related keywords (e.g., YourPhone, PhoneExperienceHost, Link to Windows) and confirms active Phone Link sessions by checking for a local proxy relay.
First reported: 06.05.2026 18:001 source, 1 articleShow sources
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs — www.infosecurity-magazine.com — 06.05.2026 18:00
-
CloudZ is a .NET executable obfuscated with ConfuserEx and compiled in mid-January 2026, with multiple anti-analysis layers including timing checks, security tool enumeration, and VM indicators in system path/hostname.
First reported: 06.05.2026 18:001 source, 1 articleShow sources
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs — www.infosecurity-magazine.com — 06.05.2026 18:00
-
CloudZ pulls secondary configuration from attacker-controlled staging servers and Pastebin pages, rotates through three hardcoded user-agent strings, and supports commands for credential exfiltration, plugin management, and screen recording.
First reported: 06.05.2026 18:001 source, 1 articleShow sources
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs — www.infosecurity-magazine.com — 06.05.2026 18:00
-
Cisco Talos has published IOCs and ClamAV signatures for the threat, providing defenders with detection resources.
First reported: 06.05.2026 18:001 source, 1 articleShow sources
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs — www.infosecurity-magazine.com — 06.05.2026 18:00
Similar Happenings
CloudZ RAT leverages Microsoft Phone Link to intercept SMS and OTPs via Pheno plugin
A newly identified CloudZ remote access trojan (RAT) variant deploys a malicious plugin named Pheno that exploits Microsoft Phone Link on Windows 10/11 systems to intercept SMS messages and one-time passwords (OTPs) from paired Android or iOS devices without requiring direct compromise of the mobile endpoint. The intrusion has been active since at least January 2026 and is designed to harvest credentials and temporary authentication codes delivered via SMS or authenticator app notifications. The attack abuses Microsoft Phone Link’s local SQLite database and session monitoring to exfiltrate sensitive data via the compromised Windows host.