A newly identified malware campaign is abusing Microsoft’s Phone Link feature to intercept SMS-based one-time passwords and other sensitive mobile data directly from Windows systems.
The activity, first observed by Cisco Talos in January 2026, involves a remote access trojan dubbed CloudZ and a custom plugin named Pheno that together allow attackers to harvest credentials and potentially capture authentication codes synced from a user’s smartphone, Talos researchers Alex Karkins and Chetan Raghuprasad wrote in a blog post.
“According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims’ credentials and potentially one-time passwords (OTPs),” the researchers wrote.
The attack does not target the mobile device itself. Instead, it exploits the trust relationship between phones and Windows PCs by monitoring data mirrored through the Phone Link application, the blog post said.
CloudZ “utilizes the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application, allowing the plugin to continuously scan for active Phone Link processes and potentially intercept sensitive mobile data like SMS and OTPs without deploying malware on the phone,” the Talos report said.
The technique sidesteps the need to compromise the mobile device itself, which the researchers said makes the intrusion notable to enterprise defenders.
It adds to a growing body of attacker tradecraft aimed at bypassing SMS- and app-based MFA by extracting authentication codes from compromised Windows systems where mobile data is synced.
Microsoft did not immediately respond to a request for comment.
Phone Link data becomes an attack surface
Microsoft Phone Link, previously known as Your Phone, is a built-in Windows feature that connects a PC to a smartphone and mirrors messages, notifications, and calls on the desktop.
Pheno is designed to locate the Phone Link data stored locally on the Windows system. According to the advisory, the attacker using CloudZ “can potentially intercept the Phone Link application’s SQLite database file on the victim machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages.”
Because this data resides on the endpoint, the technique shifts risk from mobile devices to enterprise-managed Windows systems, potentially bypassing controls focused on securing smartphones.
Multi-stage infection chain
The intrusion begins with an unknown initial access vector, followed by the execution of a malicious file disguised as a ScreenConnect update, Talos said.
The initial payload is a Rust-compiled loader using filenames such as “systemupdates.exe,” which drops a .NET loader disguised as a text file in a system directory, the post said.
Persistence is established through a scheduled task named “SystemWindowsApis” that runs at startup with elevated privileges using the legitimate regasm.exe utility, the researchers wrote in the blog.
The .NET loader runs anti-analysis checks before unpacking CloudZ. It performs multiple checks to detect security tools and sandbox environments before executing the payload in memory, the report said.
It “calculates the actual elapsed time of a sleep command to detect if it is executed in the analysis environment,” and scans for tools such as Wireshark, Fiddler, Procmon, and Sysmon. “The .NET loader exits the execution if these are detected in the victim environment,” the blog post added.
The CloudZ payload is then decrypted in memory and executed, it said.
RAT enables credential theft and plugin delivery
CloudZ establishes an encrypted connection to a command-and-control server and supports a range of functions, including credential harvesting, file operations, and remote command execution, Talos said.
The malware also retrieves secondary configuration data from attacker-controlled infrastructure.
The Talos researchers wrote that the RAT downloads configuration data from remote servers and “extracts the C2 server IP address … and port number … establishing connections through TCP sockets.”
It also rotates user-agent strings to blend its traffic with legitimate browser activity, the researchers noted.
Pheno plugin monitors active device sync
The Pheno plugin is responsible for identifying active Phone Link sessions and enabling data interception.
It “scans all running processes for specific keywords such as ‘YourPhone,’ ‘PhoneExperienceHost,’ or ‘Link to Windows,’” and logs results locally, the report said.
The plugin then checks for evidence of a proxy connection used by Phone Link to relay data between devices.
“The presence of ‘proxy’ … indicates that the Phone Link session is actively routing traffic through its relay channel,” the researchers wrote.
When such activity is detected, the plugin flags the system as connected, which “eventually allows the attacker … to potentially monitor SMS or OTP requests that appear on the Phone Link application,” according to the report.
Talos has released detection signatures and indicators of compromise, including malware hashes, command-and-control infrastructure, and Snort rules associated with the activity.
Cisco Talos did not attribute the activity to a known threat actor.
The article originally appeared on CSO.
Read the full article here
