Since at least January 2026, Cisco Talos researchers have observed a Windows malware toolkit that steals SMS messages and one‑time passwords (OTPs) from PCs by abusing Microsoft’s Phone Link application — capturing mobile authentication data without ever touching the paired smartphone.
What the tools are: CloudZ and the Pheno plugin
Cisco Talos’ analysis identifies a remote access tool (RAT) called CloudZ working in concert with a previously undocumented plugin named Pheno. CloudZ is a .NET executable, obfuscated with ConfuserEx and compiled in mid‑January 2026. The RAT supports a range of operator commands — including credential exfiltration, plugin loading and screen recording — and is designed to retrieve secondary configuration from attacker‑controlled staging servers and Pastebin pages.
How Phone Link is being used as a data bridge
Microsoft Phone Link (formerly Your Phone) mirrors smartphone notifications, SMS messages and call logs onto Windows 10 and 11 desktops over Wi‑Fi and Bluetooth. Those synchronized items are written locally to SQLite database files on the PC, including files matching PhoneExperiences-*.db. Cisco Talos says this local storage design allowed attackers to capture mobile content from the endpoint without ever compromising the phone itself. Pheno continuously scans running processes for Phone Link‑related keywords such as YourPhone, PhoneExperienceHost and Link to Windows; when it finds a match it logs process details to staging folders and searches the output for the string "proxy", which indicates the local relay used by an active Phone Link session. If a live session is confirmed, Pheno tags the system as "Maybe connected" to flag it for follow‑on data collection by the operator.
The infection chain and anti‑analysis behaviour
The observed campaign began with the execution of a fake ScreenConnect update; Talos notes the initial access vector remains unknown. A Rust‑compiled loader using filenames such as systemupdates.exe dropped a .NET loader disguised as a text file, which then deployed CloudZ via the legitimate regasm.exe binary. regasm.exe was scheduled to run at system startup under the SYSTEM account. CloudZ contains multiple anti‑analysis layers: timing‑based sleep checks, enumeration for security tooling such as Wireshark, Procmon and Sysmon, and searches for virtual machine indicators in the system path and hostname. The RAT also rotates through three hardcoded user‑agent strings to blend HTTP traffic with normal browser activity.
What this shift means for authentication risk
By moving the point of compromise from mobile devices to enterprise‑managed Windows endpoints, the technique changes where defenders must look for abuse of SMS‑based multi‑factor authentication. Cisco Talos frames this as a shift in the “risk surface” for SMS‑based MFA, with the Windows endpoint becoming the avenue for intercepting authentication codes that were traditionally thought to be protected on the user’s phone. That shift undermines controls that focus solely on mobile device security when Phone Link or similar desktop‑to‑phone synchronization mechanisms are in use.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Cisco Talos has published indicators of compromise and ClamAV signatures to assist detection and blocking; defenders will need to inspect Windows endpoints and local Phone Link artifacts such as PhoneExperiences-*.db for signs of exfiltration.
- Enterprises and procurement leaders: the campaign highlights that provisioning and configuration of desktop synchronization services such as Phone Link — and how those services store SMS and notification data locally — are material elements of MFA risk assessments.
- End users and general IT consumers: because the attack captures messages mirrored to the PC rather than the phone itself, reliance on SMS OTPs can be undermined if an attacker achieves a foothold on a synchronized Windows machine.
The CloudZ/Pheno pairing is notable not for a new zero‑day in a phone OS but for exploiting a convenience feature on the desktop that stores phone data locally. Cisco Talos’ publication of indicators and ClamAV signatures gives defenders concrete artifacts to hunt for; the broader takeaway is that defenders must treat endpoint synchronization services as part of the authentication threat model. Read the original Cisco Talos summary and indicators at https://www.infosecurity-magazine.com/news/cloudz-rat-pheno-phone-link-otp/.
