“With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” explain Cisco Talos researchers.
How the Pheno plugin abuses Microsoft Phone Link
Cisco Talos reported that a newly observed plugin, Pheno, for the CloudZ remote access tool (RAT) specifically targets the Microsoft Phone Link feature on Windows. Phone Link, which comes installed on Windows 10 and 11, allows a computer to make and take calls, respond to texts, and view notifications from a connected mobile device. Pheno monitors for active Phone Link sessions and accesses the application’s local SQLite database, which may contain SMS messages and one-time passwords (OTPs). By reading that local database on the infected PC, the attacker can intercept sensitive messages delivered to the mobile phone without directly compromising the mobile device.
Technical chain: from fake update to persistence
Cisco Talos traced the intrusion back to an infection sequence that begins when a victim executes a fake ScreenConnect update. That dropper installs a Rust-based loader, which then deploys a .NET loader to install the CloudZ RAT. The .NET loader establishes persistence by creating a scheduled task. Researchers say the loader contains several anti-analysis features, including time-based sandbox evasion and checks for analysis tools and environments — specifically looking for Wireshark, Fiddler, Procmon, Sysmon, and strings associated with virtual machines and sandboxes.
CloudZ capabilities and evasive tradecraft
Beyond the new Pheno plugin’s Phone Link theft, CloudZ has a broad set of capabilities on infected hosts. Cisco’s report lists abilities to:
- Target data stored in web browsers and profile host systems.
- Execute file management operations: delete, download, and write files.
- Run shell commands and start screen recording.
- Manage plugins (load, remove, save to disk) and terminate the RAT process.
For command-and-control (C2) communications, CloudZ alternates between three hardcoded user‑agent strings to make HTTP traffic resemble legitimate browser requests, and it includes anti‑caching headers in requests to prevent proxies or CDNs from caching C2 or staging server details.
Defensive steps and indicators defenders can use
Cisco Talos published indicators of compromise (IoCs) that include URLs, hashes for malicious components, domains, and IP addresses that defenders can use to detect and block this activity. The researchers also outlined mitigations aimed at reducing the impact of this interception technique:
- Avoid SMS-based OTP services when possible; SMS OTPs are explicitly identified as vulnerable if Phone Link session data is accessible on the PC.
- Use authenticator apps that do not rely on push notifications that could be intercepted via the Phone Link database.
- For higher‑sensitivity use cases, deploy phishing‑resistant solutions such as hardware security keys.
What this means for end users, security teams, and enterprises
End users should treat SMS-based temporary passcodes as potentially exposed when Phone Link is active on a Windows 10/11 machine and consider switching to non‑push authenticator apps or hardware keys for sensitive accounts.
Security teams and technologists should monitor for indicators described by Cisco Talos — including the fake ScreenConnect update vector, the Rust and .NET loader stages, the scheduled task persistence, and unusual access to Phone Link’s SQLite database — and apply IoCs published by Cisco to their detection and blocking tools.
Enterprises and procurement leaders should evaluate reliance on SMS OTP and push notification-based authenticators for high‑value systems and consider enforcing phishing‑resistant authentication methods where possible.
CloudZ’s new Pheno plugin underlines a growing operational reality: attackers can exploit trusted desktop-to-phone integration features to siphon authentication material without touching the mobile device. Cisco Talos’ published IoCs and the concrete mitigations they recommend give defenders an immediate set of actions; the longer-term defensive question is whether organizations will accelerate moves away from SMS and push-based second factors for sensitive operations.
