CloudZ RAT Abuses Microsoft Phone Link to Steal SMS OTPs
Key Takeaways A new Remote Access Trojan (RAT) called CloudZ, paired with a custom plugin named Pheno, is actively exploiting Microsoft Phone Link to steal sensitive data. The attack chain targets...
Key Takeaways
- A new Remote Access Trojan (RAT) called CloudZ, paired with a custom plugin named Pheno, is actively exploiting Microsoft Phone Link to steal sensitive data.
- The attack chain targets Windows PCs with Phone Link enabled, enabling the interception of SMS messages and one-time passwords (OTPs) without direct mobile device compromise.
- CloudZ employs sophisticated evasion techniques, including runtime function generation and the use of legitimate Windows binaries for persistence.
- Cisco Talos has identified the threat, which has been active since at least January 2026, and has released detection signatures and rules.
A novel threat actor is repurposing a legitimate Microsoft Windows feature into a potent surveillance tool. Cybersecurity researchers have identified a new Remote Access Trojan (RAT), dubbed CloudZ, which works in conjunction with a specialized plugin named Pheno. This malicious combination is designed to covertly intercept SMS messages and one-time passwords (OTPs) directly from paired mobile phones, bypassing the need for malware installation on the mobile device itself.
Table Of Content
The ingenuity of this campaign lies in its indirect approach. Instead of attempting to compromise a smartphone directly, the attackers exploit the established connection between a Windows personal computer and a linked mobile device.
Microsoft’s Phone Link application facilitates seamless interaction between a user’s smartphone and their Windows PC, mirroring notifications, messages, and call logs onto the desktop. CloudZ and its Pheno plugin leverage this existing bridge to gain unauthorized access to data that would ordinarily remain exclusively on the mobile phone, as detailed in a research paper.
According to analysts at Cisco Talos, this intrusion has been active since at least January 2026. The researchers observed an unidentified attacker deploying both the CloudZ RAT and the previously undocumented Pheno plugin onto victim systems. Talos characterized the campaign’s primary objective as the theft of login credentials and the interception of OTPs, which are critical for two-factor authentication (2FA) mechanisms.
Infection Chain and Evasion
The attack typically commences with a deceptive update for a remote support tool, such as ScreenConnect. Executing this malicious file initiates a .NET loader that bypasses various security controls before deploying the CloudZ RAT. Once CloudZ is established, the attacker gains a comprehensive set of capabilities to explore the compromised machine, exfiltrate browser data, and activate the Pheno plugin.
CloudZ incorporates advanced anti-detection measures. It performs checks for virtualized environments and analysis tools like Wireshark, Fiddler, Procmon, and Sysmon by monitoring timing patterns. Furthermore, its most sensitive functions are generated dynamically in memory, significantly complicating detection and reverse engineering efforts.
How CloudZ Abuses Microsoft Phone Link to Steal OTPs
The Pheno plugin represents a particularly innovative component of this attack. Upon deployment, Pheno actively scans all running processes for keywords associated with the Phone Link application, including “YourPhone,” “PhoneExperienceHost,” and “Link to Windows.” If these processes are detected, Pheno logs their process IDs and file paths into a temporary staging file, named after the victim’s computer.
Pheno then searches this staging file for the keyword “proxy,” which indicates an active connection and traffic routing between the PC and the phone via Phone Link. Confirmation of this connection prompts the plugin to write “Maybe connected” to its output file, signaling to the CloudZ RAT that conditions are favorable for mobile data interception.
With this confirmation, CloudZ can then access the Phone Link application’s local SQLite database, typically named “PhoneExperiences-*.db.” This database stores synchronized SMS messages, call logs, and application notifications. Crucially, this includes OTP codes sent by financial institutions and email providers. This direct access allows the attacker to bypass two-factor authentication without requiring physical access to the victim’s mobile device.
Persistence Mechanisms and Command Structure
CloudZ is engineered for long-term persistence on compromised systems. The Rust-compiled dropper establishes a scheduled task named “SystemWindowsApis,” configured to run at system startup under the SYSTEM account, ensuring the malware’s re-execution after every reboot. It leverages the legitimate Windows utility, regasm.exe, as a living-off-the-land (LotL) binary to execute its payload. This technique helps the malware blend in with normal system operations, making it harder to detect.
To evade network-level detection, CloudZ rotates between three common browser user-agent strings (Firefox, Safari, and Chrome) with each request, mimicking legitimate web traffic. Its command-and-control (C2) server addresses are not hardcoded but are retrieved from external platforms like Pastebin, specifically from pages under the account name “HELLOHIALL.” This dynamic C2 retrieval mechanism complicates blocking efforts through traditional network filters.
Cisco Talos has provided detection mechanisms, including ClamAV signatures and Snort rules, to identify and block this threat. Organizations are advised to monitor for unusual Phone Link activity on endpoints, restrict remote access tools to verified sources, and configure security tools to flag the use of LotL binaries like regasm.exe when used outside their expected context. Disabling Phone Link on systems where it is not required can significantly reduce the attack surface.
What You Should Do
- Disable Microsoft Phone Link: If you do not actively use Microsoft Phone Link to connect your smartphone to your PC, disable or uninstall it to remove this attack vector.
- Exercise Caution with Updates: Be extremely wary of unsolicited or suspicious update prompts for any software, especially remote support tools. Always download updates directly from official vendor websites.
- Implement Strong Endpoint Detection and Response (EDR): Ensure your EDR solutions are configured to detect and alert on unusual process execution, especially the use of legitimate binaries (LotL) in anomalous contexts.
- Monitor Network Traffic: Deploy network intrusion detection/prevention systems (NIDS/NIPS) with updated signatures (e.g., Cisco Talos Snort rules) to identify and block CloudZ C2 communications.
- Enforce Multi-Factor Authentication (MFA): While this attack targets SMS OTPs, using stronger MFA methods like hardware tokens (FIDO2/U2F) or authenticator apps can provide better protection against such compromises.
IoCs:
| Type | Indicator | Description |
|---|---|---|
| IP Address | 185[.]196[.]10[.]136 | CloudZ C2 server IP address, communicating over port 8089 via TCP |
| URL | hxxps[://]round-cherry-4418[.]hellohiall[.]workers[.]dev | Secondary C2 configuration staging URL |
| URL | https[://]pastebin[.]com/raw/8pYAgF0Z | Pastebin-hosted secondary C2 configuration data |
| URL | hxxps[://]calm-wi[…] | Attacker-controlled staging server used to deliver .NET loader |
| URL | hxxps[://]orange-cell-1353[.]hellohiall[…] | Staging server URL used to deliver Pheno plugin (pheno.exe) |
| File Name | systemupdates.exe / Windows-interactive-update.exe | Rust-compiled dropper disguised as system update |
| File Name | update.txt / msupdate.txt | Embedded .NET loader disguised as text file |
| File Name | pheno.exe | Pheno reconnaissance plugin dropped in C:WindowsTEMP |
| File Path | C:ProgramDataMicrosoftwindosDoc | Staging folder used to store the dropped .NET loader |
| File Path | C:ProgramDataMicrosoftwhealth | Staging directory for saved plugins |
| File Path | C:programdataMicrosoftfeedbackcm | Pheno plugin output folder for Phone Link reconnaissance data |
| Scheduled Task | SystemWindowsApis | Persistence task created under MicrosoftWindows at system startup |
| Pastebin Account | HELLOHIALL | Attacker-controlled Pastebin account hosting secondary C2 configuration |
| PDB String |



No Comment! Be the first one.