CloudZ RAT abuses Microsoft Phone Link to steal SMS OTPs from Windows PCs
6 min. read 
Published on
A CloudZ remote access trojan campaign is abusing Microsoft Phone Link to potentially steal SMS messages, one-time passwords, and mobile notifications from Windows computers. Cisco Talos says the attack uses a previously undocumented plugin called Pheno to watch for active Phone Link sessions.
The attack does not need malware on the victim’s phone. Instead, it targets the Windows PC that already syncs with the phone through Phone Link, which can display texts, calls, notifications, and other mobile activity on the desktop.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Cisco Talos said the intrusion has been active since at least January 2026. The goal appears to be credential theft and possible OTP interception, which can weaken accounts that still rely on SMS-based two-factor authentication.
Why this CloudZ campaign matters
Phone Link is a legitimate Microsoft feature for connecting a Windows PC with an Android phone or iPhone. Microsoft says the app can let users read and reply to texts, manage notifications, view recent photos, and make or receive calls from the PC.
That convenience creates a sensitive bridge between the phone and the computer. If attackers already control the Windows PC, they may be able to inspect synced phone data without directly compromising the mobile device.
This makes CloudZ dangerous in environments where users receive login codes, banking alerts, account reset messages, or authenticator app notifications through a phone connected to Windows.
At a glance
| Detail | What researchers found |
|---|---|
| Malware | CloudZ RAT |
| Plugin | Pheno |
| Targeted feature | Microsoft Phone Link on Windows |
| Observed activity | Active since at least January 2026 |
| Main risk | Credential theft and possible SMS OTP interception |
| Initial observed chain | Fake ScreenConnect update executable leading to a .NET loader and CloudZ RAT |
| Persistence | Scheduled task named SystemWindowsApis running under the Microsoft Windows task path |
How the attack chain starts
Talos said the original access vector was not fully determined. However, researchers observed the victim environment running a fake ScreenConnect application update executable.
That fake update dropped an intermediate .NET loader. The loader then performed environment checks, avoided common analysis tools, and deployed the modular CloudZ RAT on the infected machine.
Once active, CloudZ decrypted its configuration, connected to its command-and-control server, and waited for instructions. Its commands include system information collection, shell execution, browser data theft, plugin loading, and Phone Link data collection.
How Pheno monitors Phone Link
The Pheno plugin scans running processes for names linked to Phone Link, including YourPhone, PhoneExperienceHost, and Link to Windows. If it finds matching processes, it records their process IDs and file paths.
Pheno writes the results to files named with the victim computer name, such as phonelink-<COMPUTERNAME>.txt. Talos said those files can appear in staging folders under ProgramData or the user’s temporary directory.
The plugin then searches its output for the word proxy. Talos said Phone Link uses a local proxy connection to relay traffic between the PC and the paired phone, so this check helps the attacker confirm whether a phone bridge may be active.
Why SMS-based OTPs are at risk
Phone Link stores synchronized phone data on the Windows PC in a local SQLite database file. Talos said examples include PhoneExperiences-*.db files that can contain SMS messages, call logs, and notification history.
If CloudZ can access that data after confirming Phone Link activity, attackers may view SMS-based one-time passwords or notification-based authentication messages. This can help them complete account takeover attempts from the compromised PC.
The attack shows why SMS codes and notification previews can become risky when they sync to another device. The phone may remain clean, but the computer can still expose the messages.
CloudZ also steals browser data
Phone Link monitoring is the most unusual part of the campaign, but CloudZ is not limited to OTP theft. Talos said the RAT can exfiltrate browser credentials from the infected Windows machine.
The malware also supports shell command execution and plugin deployment. This gives attackers a flexible toolkit after the first infection stage.
CloudZ uses several evasion techniques. It checks for security tools such as Wireshark, Fiddler, Procmon, and Sysmon, and it creates key malicious functions dynamically in memory to complicate analysis.
Known CloudZ techniques
- Fake ScreenConnect update lure observed in the attack chain
- Rust-compiled dropper using names such as systemupdates.exe or Windows-interactive-update.exe
- .NET loader disguised as update.txt or msupdate.txt
- Scheduled task persistence through SystemWindowsApis
- Execution through regasm.exe, a legitimate Windows .NET utility
- CloudZ RAT configuration decrypted in memory
- Secondary configuration hosted through Cloudflare Workers and Pastebin
- User-agent rotation to imitate common browser traffic
- Pheno plugin reconnaissance of Phone Link activity
What users should do
Users who do not need Phone Link should disable it or unlink devices from Windows. This reduces the amount of phone data available from the PC if the computer becomes infected.
Users should also avoid SMS-based OTPs where better options exist. Authenticator apps, passkeys, and hardware security keys reduce the risk of attackers stealing login codes through synced messages.
If a fake update or suspicious remote support installer was run, users should disconnect the PC from the network, scan the device, reset account passwords from a clean device, and revoke active sessions.
What security teams should monitor
- Unexpected Phone Link activity on endpoints that do not need phone syncing
- Creation of the scheduled task SystemWindowsApis
- regasm.exe running with unusual command-line arguments
- Files such as pheno.exe in C:\Windows\TEMP\
- Staging paths under C:\ProgramData\Microsoft\windosDoc\ and C:\ProgramData\Microsoft\whealth\
- Output folders such as C:\programdata\Microsoft\feedback\cm
- Network traffic to CloudZ command-and-control infrastructure
- Browser credential access followed by outbound connections
- Fake ScreenConnect update executables from untrusted sources
How to reduce exposure
Organizations should treat Phone Link as a data-syncing tool with security implications. It can improve productivity, but it can also place phone messages and notifications within reach of a compromised Windows endpoint.
Admins can review whether Phone Link should be allowed on managed machines. In high-risk environments, disabling it on workstations that handle privileged accounts may reduce account takeover risk.
Security teams should also move users away from SMS authentication. Attackers increasingly target the communication channel itself, and CloudZ shows that synced devices can become part of the threat path.
FAQ
CloudZ is a modular remote access trojan that can run commands, steal browser data, load plugins, and communicate with an attacker-controlled server.
Talos said Phone Link stores synchronized data such as SMS messages, call logs, and notification history in a local SQLite database on the Windows PC.
No phone malware is required for the reported technique. The attacker targets the Windows PC that already syncs with the phone through Phone Link.
Pheno is a plugin used with CloudZ to look for active Microsoft Phone Link activity on infected Windows machines.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages