A newly identified cybersecurity threat is leveraging a Microsoft feature to act as an effective espionage tool. Researchers have uncovered a remote access tool, CloudZ, which, in conjunction with a custom plugin called Pheno, can clandestinely intercept SMS messages and one-time passwords (OTPs) from mobile devices, all without direct access to the phone. This exploit targets a legitimate Windows application utilized by millions daily.
Unique Approach to Data Interception
This campaign stands out due to its unique method. Rather than deploying malware directly onto a target’s mobile device, the attacker manipulates the connection between a Windows PC and the paired smartphone. The Microsoft Phone Link application, when in use, creates a bridge that reflects phone notifications, messages, and call logs onto the computer.
CloudZ and the Pheno plugin exploit this bridge, accessing sensitive data meant to remain on the device. Cisco Talos analysts have observed this intrusion since January 2026, noting that an unidentified attacker has employed the CloudZ RAT and the previously undocumented Pheno plugin on victim machines. This campaign is tailored to exfiltrate login credentials and intercept OTPs, which are vital for two-step verification processes.
Infection Chain and Detection Evasion
The infection begins with a deceptive update for a remote support tool known as ScreenConnect. Once the user executes this file, a .NET loader bypasses several security measures before deploying the CloudZ RAT. From there, the attacker gains full access to the victim’s machine, enabling the theft of browser data and activation of the Pheno plugin.
CloudZ employs sophisticated techniques to avoid detection, such as monitoring execution environments for analysis tools like Wireshark and Fiddler. It dynamically generates its most critical functions in memory, complicating efforts to detect or reverse-engineer them.
Mechanics of Pheno Plugin and Persistence
The Pheno plugin, the most innovative element of this attack, examines all active processes for keywords related to the Phone Link application, such as “YourPhone” and “Link to Windows.” If found, Pheno logs the process details to a staging file named after the victim’s computer.
If the staging file indicates that Phone Link is routing traffic between the PC and phone, the plugin records “Maybe connected,” signaling the attacker that conditions are optimal to intercept mobile data. CloudZ then accesses the local SQLite database of the Phone Link application, which stores synchronized SMS messages and app notifications, including OTP codes, potentially bypassing two-factor authentication.
To maintain persistence, CloudZ uses a Rust-compiled dropper to install a scheduled task, ensuring the malware restarts with every system boot. It leverages legitimate Windows utilities to execute its payload, blending with normal system activities to evade detection.
Recommendations and Future Outlook
Cisco Talos has provided ClamAV signatures and Snort rules to detect and block this threat. It is recommended that organizations monitor for unusual Phone Link activity, restrict remote access tools to trusted sources, and ensure security tools flag living-off-the-land binaries like regasm.exe. Disabling Phone Link where unnecessary can significantly reduce exposure.
As cyber threats evolve, maintaining awareness of such sophisticated attacks is crucial. Organizations must adopt comprehensive security measures to protect sensitive information from being compromised.
