A sophisticated cyber threat known as CloudZ RAT is exploiting Microsoft's Phone Link application to pilfer user credentials and one-time passwords (OTPs) directly from Windows PCs. This novel attack vector bypasses the need to compromise mobile devices, instead leveraging the legitimate PC-to-phone bridge to access sensitive SMS messages and authentication codes.

Key Takeaways

• CloudZ RAT, with a new plugin called Pheno, targets Microsoft Phone Link.

• The attack steals credentials and OTPs without infecting the mobile device.

• It exploits the data synchronization between Windows PCs and smartphones.

• The campaign has been active since at least January 2026 and is attributed to an unknown threat actor.

The CloudZ RAT and Pheno Plugin

Researchers have detailed how the CloudZ remote access trojan (RAT), in conjunction with a previously undocumented plugin named Pheno, is being used to intercept sensitive data. The primary objective is to steal user credentials and one-time passwords (OTPs), which are crucial for two-factor authentication.

What makes this attack particularly concerning is its method of operation. Instead of deploying malware directly onto a victim's smartphone, CloudZ abuses the established connection facilitated by Microsoft's Phone Link application. This application, built into Windows 10 and 11, allows users to sync their Android or iPhone with their PC for tasks like sending messages and receiving notifications.

The Pheno plugin actively monitors for active Phone Link processes. It then accesses the application's local SQLite database, which stores synchronized data including SMS messages and OTPs. By exploiting this bridge, attackers can potentially gain access to highly sensitive information without ever needing to compromise the mobile device itself.

Attack Chain and Persistence

The intrusion typically begins with an unknown initial access method, leading victims to execute a malicious file disguised as a legitimate update for tools like ConnectWise ScreenConnect. This dropper then downloads and runs a .NET loader, which performs environment checks to evade detection before deploying the modular CloudZ trojan.

To maintain its presence, the malware establishes persistence by creating a scheduled task that runs at system startup. CloudZ communicates with its command-and-control (C2) server using encrypted connections and rotates user-agent strings to mimic legitimate browser traffic, making detection more challenging.

Data Exfiltration and Capabilities

Once established, CloudZ can execute a wide range of commands, including exfiltrating web browser data, collecting system metadata, executing shell commands, and managing files. The Pheno plugin specifically focuses on reconnaissance of the Phone Link application, writing its findings to an output file. CloudZ then reads this data and sends it to the C2 server.

This exploit highlights a significant vulnerability where legitimate cross-device syncing features can be repurposed for malicious intent, potentially bypassing multi-factor authentication and exposing users to credential theft.

Sources

• Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs, The Hacker News.

• Experts warn Microsoft Phone Link tool exploited by 'unknown threat' to steal SMS and OTP info, TechRadar.

• CloudZ RAT Abuses Microsoft Phone Link to Steal SMS OTPs and Mobile Notifications, CyberSecurityNews.

• CloudZ RAT Exploits Microsoft Phone Link to Steal SMS OTPs, GBHackers News.

• CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs, BleepingComputer.