Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
macOS Stealer Masquerades as Crash Reports to Steal Browser Data
July 13, 2026
Turla Hackers Exploit Critical SharePoint Flaw to Access French Accounts
July 13, 2026
Internet Scans Target Exposed AI Models, Claude Credentials, and MCP Servers
July 13, 2026
Home/Threats/CloudZ RAT Abuses Microsoft Phone Link to Steal SMS OTPs
Threats

CloudZ RAT Abuses Microsoft Phone Link to Steal SMS OTPs

Key Takeaways A new Remote Access Trojan (RAT) called CloudZ, paired with a custom plugin named Pheno, is actively exploiting Microsoft Phone Link to steal sensitive data. The attack chain targets...

Jennifer sherman
Jennifer sherman
May 6, 2026 5 Min Read
59 0

Key Takeaways

  • A new Remote Access Trojan (RAT) called CloudZ, paired with a custom plugin named Pheno, is actively exploiting Microsoft Phone Link to steal sensitive data.
  • The attack chain targets Windows PCs with Phone Link enabled, enabling the interception of SMS messages and one-time passwords (OTPs) without direct mobile device compromise.
  • CloudZ employs sophisticated evasion techniques, including runtime function generation and the use of legitimate Windows binaries for persistence.
  • Cisco Talos has identified the threat, which has been active since at least January 2026, and has released detection signatures and rules.

A novel threat actor is repurposing a legitimate Microsoft Windows feature into a potent surveillance tool. Cybersecurity researchers have identified a new Remote Access Trojan (RAT), dubbed CloudZ, which works in conjunction with a specialized plugin named Pheno. This malicious combination is designed to covertly intercept SMS messages and one-time passwords (OTPs) directly from paired mobile phones, bypassing the need for malware installation on the mobile device itself.

Table Of Content

  • Key Takeaways
  • Infection Chain and Evasion
  • How CloudZ Abuses Microsoft Phone Link to Steal OTPs
  • Persistence Mechanisms and Command Structure
  • What You Should Do

The ingenuity of this campaign lies in its indirect approach. Instead of attempting to compromise a smartphone directly, the attackers exploit the established connection between a Windows personal computer and a linked mobile device.

Microsoft’s Phone Link application facilitates seamless interaction between a user’s smartphone and their Windows PC, mirroring notifications, messages, and call logs onto the desktop. CloudZ and its Pheno plugin leverage this existing bridge to gain unauthorized access to data that would ordinarily remain exclusively on the mobile phone, as detailed in a research paper.

According to analysts at Cisco Talos, this intrusion has been active since at least January 2026. The researchers observed an unidentified attacker deploying both the CloudZ RAT and the previously undocumented Pheno plugin onto victim systems. Talos characterized the campaign’s primary objective as the theft of login credentials and the interception of OTPs, which are critical for two-factor authentication (2FA) mechanisms.

Infection Chain and Evasion

The attack typically commences with a deceptive update for a remote support tool, such as ScreenConnect. Executing this malicious file initiates a .NET loader that bypasses various security controls before deploying the CloudZ RAT. Once CloudZ is established, the attacker gains a comprehensive set of capabilities to explore the compromised machine, exfiltrate browser data, and activate the Pheno plugin.

CloudZ incorporates advanced anti-detection measures. It performs checks for virtualized environments and analysis tools like Wireshark, Fiddler, Procmon, and Sysmon by monitoring timing patterns. Furthermore, its most sensitive functions are generated dynamically in memory, significantly complicating detection and reverse engineering efforts.

How CloudZ Abuses Microsoft Phone Link to Steal OTPs

The Pheno plugin represents a particularly innovative component of this attack. Upon deployment, Pheno actively scans all running processes for keywords associated with the Phone Link application, including “YourPhone,” “PhoneExperienceHost,” and “Link to Windows.” If these processes are detected, Pheno logs their process IDs and file paths into a temporary staging file, named after the victim’s computer.

Pheno then searches this staging file for the keyword “proxy,” which indicates an active connection and traffic routing between the PC and the phone via Phone Link. Confirmation of this connection prompts the plugin to write “Maybe connected” to its output file, signaling to the CloudZ RAT that conditions are favorable for mobile data interception.

With this confirmation, CloudZ can then access the Phone Link application’s local SQLite database, typically named “PhoneExperiences-*.db.” This database stores synchronized SMS messages, call logs, and application notifications. Crucially, this includes OTP codes sent by financial institutions and email providers. This direct access allows the attacker to bypass two-factor authentication without requiring physical access to the victim’s mobile device.

Persistence Mechanisms and Command Structure

CloudZ is engineered for long-term persistence on compromised systems. The Rust-compiled dropper establishes a scheduled task named “SystemWindowsApis,” configured to run at system startup under the SYSTEM account, ensuring the malware’s re-execution after every reboot. It leverages the legitimate Windows utility, regasm.exe, as a living-off-the-land (LotL) binary to execute its payload. This technique helps the malware blend in with normal system operations, making it harder to detect.

To evade network-level detection, CloudZ rotates between three common browser user-agent strings (Firefox, Safari, and Chrome) with each request, mimicking legitimate web traffic. Its command-and-control (C2) server addresses are not hardcoded but are retrieved from external platforms like Pastebin, specifically from pages under the account name “HELLOHIALL.” This dynamic C2 retrieval mechanism complicates blocking efforts through traditional network filters.

Cisco Talos has provided detection mechanisms, including ClamAV signatures and Snort rules, to identify and block this threat. Organizations are advised to monitor for unusual Phone Link activity on endpoints, restrict remote access tools to verified sources, and configure security tools to flag the use of LotL binaries like regasm.exe when used outside their expected context. Disabling Phone Link on systems where it is not required can significantly reduce the attack surface.

What You Should Do

  • Disable Microsoft Phone Link: If you do not actively use Microsoft Phone Link to connect your smartphone to your PC, disable or uninstall it to remove this attack vector.
  • Exercise Caution with Updates: Be extremely wary of unsolicited or suspicious update prompts for any software, especially remote support tools. Always download updates directly from official vendor websites.
  • Implement Strong Endpoint Detection and Response (EDR): Ensure your EDR solutions are configured to detect and alert on unusual process execution, especially the use of legitimate binaries (LotL) in anomalous contexts.
  • Monitor Network Traffic: Deploy network intrusion detection/prevention systems (NIDS/NIPS) with updated signatures (e.g., Cisco Talos Snort rules) to identify and block CloudZ C2 communications.
  • Enforce Multi-Factor Authentication (MFA): While this attack targets SMS OTPs, using stronger MFA methods like hardware tokens (FIDO2/U2F) or authenticator apps can provide better protection against such compromises.

IoCs:

<td class="has-text-

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

QLNX Credential Theft Malware Targets Developers in Supply Chain Attacks

Next Post

DarkHub Hacking-for-Hire Portal Advertises Crypto Fraud and Message Interception

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Debian 13 Trixie Released With Security Updates
July 13, 2026
iPhone, MacBook Forensics Expose £113,000 Property Fraud
July 13, 2026
CISA warns of Joomla iCagenda, Balbooa flaws exploited in attacks
July 13, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us
Type Indicator Description
IP Address 185[.]196[.]10[.]136 CloudZ C2 server IP address, communicating over port 8089 via TCP
URL hxxps[://]round-cherry-4418[.]hellohiall[.]workers[.]dev Secondary C2 configuration staging URL
URL https[://]pastebin[.]com/raw/8pYAgF0Z Pastebin-hosted secondary C2 configuration data
URL hxxps[://]calm-wi[…] Attacker-controlled staging server used to deliver .NET loader
URL hxxps[://]orange-cell-1353[.]hellohiall[…] Staging server URL used to deliver Pheno plugin (pheno.exe)
File Name systemupdates.exe / Windows-interactive-update.exe Rust-compiled dropper disguised as system update
File Name update.txt / msupdate.txt Embedded .NET loader disguised as text file
File Name pheno.exe Pheno reconnaissance plugin dropped in C:WindowsTEMP
File Path C:ProgramDataMicrosoftwindosDoc Staging folder used to store the dropped .NET loader
File Path C:ProgramDataMicrosoftwhealth Staging directory for saved plugins
File Path C:programdataMicrosoftfeedbackcm Pheno plugin output folder for Phone Link reconnaissance data
Scheduled Task SystemWindowsApis Persistence task created under MicrosoftWindows at system startup
Pastebin Account HELLOHIALL Attacker-controlled Pastebin account hosting secondary C2 configuration
PDB String