New CloudZ RAT Exploits Microsoft Phone Link to Steal OTPs and SMS Messages
Security researchers at Cisco Talos have uncovered a sophisticated cyberespionage campaign leveraging CloudZ, a remote access trojan (RAT), and its custom Pheno plugin to intercept SMS messages and one-time passwords (OTPs) without direct access to victims’ phones. The attack exploits Microsoft Phone Link, a legitimate Windows application that mirrors phone notifications, messages, and call logs to a paired PC.
Active since at least January 2026, the campaign targets users by hijacking the connection between a Windows machine and a linked smartphone. Instead of deploying malware on the phone itself, attackers abuse Phone Link’s synchronization feature to access sensitive data stored in its local SQLite database, including OTPs sent by banks and email providers. This allows threat actors to bypass two-factor authentication (2FA) without physical access to the device.
The infection begins with a fake ScreenConnect update, which drops a .NET loader disguised as a system file. After bypassing security checks, the loader deploys CloudZ, a RAT designed to evade detection. The malware scans for analysis tools like Wireshark, Fiddler, and Sysmon, generates sensitive functions in memory, and uses timing-based evasion to avoid sandboxing.
The Pheno plugin plays a critical role by identifying active Phone Link processes (e.g., YourPhone, PhoneExperienceHost) and confirming an active connection between the PC and phone. Once verified, CloudZ extracts synchronized SMS messages and OTPs from the PhoneExperiences-*.db database.
To maintain persistence, CloudZ installs a scheduled task (SystemWindowsApis) running under the SYSTEM account and uses regasm.exe, a legitimate Windows utility, to execute payloads while blending in with normal system activity. Command-and-control (C2) communication is obfuscated by rotating user-agent strings and retrieving C2 addresses from Pastebin under the account HELLOHIALL, complicating network-based detection.
Cisco Talos has released ClamAV signatures and Snort rules to detect the threat, along with indicators of compromise (IoCs) including the C2 server 185[.]196[.]10[.]136, attacker-controlled staging URLs, and malicious file paths. The campaign highlights risks associated with living-off-the-land binaries (LOLBins) and the abuse of trusted applications for data exfiltration.
Source: https://cybersecuritynews.com/cloudz-rat-abuses-microsoft-phone-link/
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1778099110",
"linkid": "microsoft-security-response-center",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Individual users, Organizations'}],
'attack_vector': 'Fake ScreenConnect update, .NET loader, Microsoft Phone '
'Link exploitation',
'data_breach': {'data_exfiltration': 'Yes',
'file_types_exposed': 'SQLite database files '
'(PhoneExperiences-*.db)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['SMS messages',
'One-time passwords (OTPs)',
'Personally identifiable '
'information (PII)']},
'date_detected': '2026-01-01',
'description': 'Security researchers at Cisco Talos have uncovered a '
'sophisticated cyberespionage campaign leveraging CloudZ, a '
'remote access trojan (RAT), and its custom Pheno plugin to '
'intercept SMS messages and one-time passwords (OTPs) without '
'direct access to victims’ phones. The attack exploits '
'Microsoft Phone Link, a legitimate Windows application that '
'mirrors phone notifications, messages, and call logs to a '
'paired PC. The campaign targets users by hijacking the '
'connection between a Windows machine and a linked smartphone '
'to access sensitive data stored in its local SQLite database, '
'including OTPs sent by banks and email providers, allowing '
'threat actors to bypass two-factor authentication (2FA).',
'impact': {'data_compromised': 'SMS messages, One-time passwords (OTPs), '
'Personally identifiable information (PII)',
'identity_theft_risk': 'High',
'operational_impact': 'Potential unauthorized access to sensitive '
'accounts, bypass of 2FA',
'payment_information_risk': 'High',
'systems_affected': 'Windows machines with Microsoft Phone Link '
'paired to smartphones'},
'initial_access_broker': {'backdoors_established': 'CloudZ RAT, Pheno plugin',
'entry_point': 'Fake ScreenConnect update'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Risks associated with living-off-the-land binaries '
'(LOLBins), abuse of trusted applications for data '
'exfiltration, importance of monitoring legitimate '
'application behavior for anomalies.',
'motivation': 'Cyberespionage, Bypass 2FA, Data Theft',
'post_incident_analysis': {'corrective_actions': 'Enhanced detection for '
'CloudZ RAT and Pheno '
'plugin, removal of '
'malicious scheduled tasks, '
'network monitoring for C2 '
'communication, user '
'education on fake updates',
'root_causes': 'Exploitation of Microsoft Phone '
'Link synchronization feature, '
'abuse of LOLBins (regasm.exe), '
'lack of monitoring for legitimate '
'application misuse'},
'recommendations': 'Monitor for unusual activity in Microsoft Phone Link '
'processes, deploy ClamAV signatures and Snort rules '
'provided by Cisco Talos, review scheduled tasks for '
'suspicious entries, and educate users on the risks of '
'fake software updates.',
'references': [{'source': 'Cisco Talos'}],
'response': {'containment_measures': 'ClamAV signatures, Snort rules, '
'Indicators of Compromise (IoCs) '
'released',
'enhanced_monitoring': 'Network-based detection using Snort '
'rules, endpoint monitoring for IoCs',
'remediation_measures': 'Detection of CloudZ RAT and Pheno '
'plugin, removal of scheduled tasks and '
'malicious payloads',
'third_party_assistance': 'Cisco Talos'},
'title': 'New CloudZ RAT Exploits Microsoft Phone Link to Steal OTPs and SMS '
'Messages',
'type': 'Cyberespionage, Malware Attack',
'vulnerability_exploited': 'Abuse of Microsoft Phone Link synchronization '
'feature, living-off-the-land binaries (LOLBins)'}