CloudZ RAT leverages Microsoft Phone Link to intercept SMS and OTPs via Pheno plugin
Summary
Hide ▲
Show ▼
A newly identified CloudZ remote access trojan (RAT) variant deploys a malicious plugin named Pheno that exploits Microsoft Phone Link on Windows 10/11 systems to intercept SMS messages and one-time passwords (OTPs) from paired Android or iOS devices without requiring direct compromise of the mobile endpoint. The intrusion has been active since at least January 2026 and is designed to harvest credentials and temporary authentication codes delivered via SMS or authenticator app notifications. The attack abuses Microsoft Phone Link’s local SQLite database and session monitoring to exfiltrate sensitive data via the compromised Windows host.
Timeline
-
05.05.2026 13:03 1 articles · 16h ago
CloudZ RAT with Pheno plugin abuses Microsoft Phone Link to intercept SMS and OTPs
A new CloudZ RAT variant introduced the Pheno plugin, which monitors active Microsoft Phone Link sessions and accesses their local SQLite databases to steal SMS messages and OTPs from paired mobile devices. The RAT performs post-exploitation actions including file management, command execution, screen recording, and plugin management, while employing anti-detection and anti-analysis techniques. Initial access was achieved via a fake ScreenConnect update dropping a Rust-based loader, followed by a .NET loader that installs CloudZ RAT and establishes persistence through a scheduled task.
Show sources
- CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs — www.bleepingcomputer.com — 05.05.2026 13:03
Information Snippets
-
The CloudZ RAT variant includes a previously undocumented plugin named Pheno that specifically targets Microsoft Phone Link sessions to access local SQLite database files containing SMS messages and OTPs.
First reported: 05.05.2026 13:031 source, 1 articleShow sources
- CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs — www.bleepingcomputer.com — 05.05.2026 13:03
-
Microsoft Phone Link, preinstalled on Windows 10 and 11, enables call/text handling and notifications from paired mobile devices, which the malware abuses to intercept authentication codes without compromising the mobile device itself.
First reported: 05.05.2026 13:031 source, 1 articleShow sources
- CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs — www.bleepingcomputer.com — 05.05.2026 13:03
-
CloudZ RAT conducts file management, shell command execution, screen recording, plugin management, and process termination on compromised hosts. It rotates three hardcoded user-agent strings to disguise C2 traffic and applies anti-caching headers to evade proxy/CDN caching of C2 or staging server details.
First reported: 05.05.2026 13:031 source, 1 articleShow sources
- CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs — www.bleepingcomputer.com — 05.05.2026 13:03
-
Initial access begins with a fake ScreenConnect update that drops a Rust-based loader, followed by a .NET loader that installs CloudZ RAT and establishes persistence via a scheduled task. The .NET loader includes anti-analysis checks for sandbox environments, analysis tools (e.g., Wireshark, Fiddler, Procmon, Sysmon), and VM/sandbox-related strings.
First reported: 05.05.2026 13:031 source, 1 articleShow sources
- CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs — www.bleepingcomputer.com — 05.05.2026 13:03
-
Cisco Talos identified indicators of compromise including malicious URLs, file hashes, domains, and IP addresses associated with the campaign.
First reported: 05.05.2026 13:031 source, 1 articleShow sources
- CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs — www.bleepingcomputer.com — 05.05.2026 13:03