Emerging ThreatsMalware & Ransomware

CloudZ RAT Exploits Windows Phone Link for Credential Theft

Analyst 207||Source: TheHackerNews
Laptop on a desk with Phone Link app open, smartphone nearby, in a home office setting with subtle network device hint.
"According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims' credentials and potentially one-time passwords (OTPs)," Cisco Talos researchers Alex Karkins and Chetan Raghuprasad wrote in their analysis.

How the Microsoft Phone Link bridge was repurposed

Cisco Talos says the intrusion stands out because it leverages the Microsoft Phone Link application — a built-in feature on Windows 10 and Windows 11 that pairs a PC with an Android device or iPhone over Wi‑Fi and Bluetooth — to access synchronized phone data without ever putting malware on the mobile device. Phone Link, which lets users make and take calls, send messages, and dismiss notifications, keeps a local SQLite database of synced phone data. The attackers used a custom plugin, Pheno, to probe for active Phone Link processes and to access that database file, enabling the potential interception of SMS messages and one‑time passwords (OTPs).

CloudZ RAT and the Pheno plugin: modular spying

The intrusion employed a modular remote access tool (RAT) known as CloudZ together with an undocumented plugin called Pheno. Talos reports Pheno performs reconnaissance of the Phone Link application on the victim machine and writes the results to an output file in a staging directory. CloudZ then reads that staging folder and sends the Phone Link recon data to the command‑and‑control (C2) server. The combination allowed the operators to confirm Phone Link activity and harvest synchronized phone content without compromising the paired mobile device.

Attack chain: from a fake installer to an encrypted C2 channel

Talos describes an attack chain that begins with an as‑yet undetermined initial access technique to gain a foothold. The actors dropped a fake ConnectWise ScreenConnect executable that was responsible for downloading and running a .NET loader. That initial dropper also carried an embedded PowerShell script used to establish persistence by creating a scheduled task to run the malicious .NET loader.

The intermediate .NET loader conducted hardware and environment checks to evade detection and then deployed the modular CloudZ trojan. Once deployed, the .NET-compiled trojan decrypted an embedded configuration, established an encrypted socket connection to the C2 server, and awaited Base64‑encoded instructions. Those instructions could trigger credential exfiltration, plugin installation, and other data collection activities.

CloudZ capabilities and command set

Talos published a non‑exhaustive list of CloudZ commands observed in the intrusion. The trojan supports heartbeat and control messages such as pong and PING!, lifecycle commands like CLOSE, and system collection commands including INFO to gather metadata. It can execute shell commands (RunShell), exfiltrate browser data (BrowserSearch), and manage plugins (plugin, savePlugin, sendPlugin, RemovePlugins). Other commands support file operations (DW, FM), screen recording (rec), and dedicated Phone Link reconnaissance retrieval (GetWidgetLog). The savePlugin command writes plugin modules to a staging directory cited in the analysis as "C:\ProgramData\Microsoft\whealth\".

What this means for technologists, enterprises, and end users

  • Technologists and security teams: The intrusion demonstrates a pathway that bypasses mobile‑device compromise by exploiting a desktop‑side sync service. Security teams will need to consider local application database access and inter‑device sync features when assessing credential and OTP exposure.
  • Enterprises and procurement leaders: The use of a fake ConnectWise ScreenConnect executable to drop a loader highlights risk from malicious imposters of legitimate remote‑access tooling. Enterprise procurement and endpoint controls may need to focus on validating installers and monitoring scheduled task creation tied to unusual binaries.
  • End users: Because the exploit targets the Phone Link client on a Windows machine, users who pair phones with PCs should be aware that synchronized SMS and notification data stored on the desktop can be a target even if the phone itself remains uncompromised.

Talos reports this activity has been active since at least January 2026 and has not been attributed to any known threat actor or group. The malware's design — with layered loaders, environment checks, an encrypted C2 channel, and modular plugin support — suggests an operator focused on stealthy persistence and flexible data theft, particularly of credentials and OTPs tied to a user's phone sync data.

The intrusion underscores a simple but consequential point: legitimate cross‑device convenience features can create unexpected attack surfaces. In this case, the desktop client for a phone‑to‑PC bridge became the avenue for intercepting mobile content without touching the mobile device — a pattern defenders and users will now have to reckon with.

Original reporting: https://thehackernews.com/2026/05/windows-phone-link-exploited-by-cloudz.html

AndroidCredential TheftEmerging ThreatsIphoneMicrosoftNation-StateMalware OperationsCloudz RATWindows Phone LinkOTP Theft
Related Intelligence

Continue Reading

Person sitting in quiet room, holding smartphone with concern, surrounded by papers and laptop.

Russia Targets Messaging Credentials with Fake Support Texts

Beware of fake support texts that could compromise your personal data and sensitive information! A joint investigation by the Security Service of Ukraine and the FBI uncovered a systematic campaign to steal messaging platform credentials from government officials, military personnel, and activists worldwide.

Analyst 207
Developer workstation with laptop open to GitHub repository, surrounded by coding tools and notes on cluttered desk.

GitHub Repos Used to Deploy Malware via AI Coding Tools

Imagine a GitHub repository that looks perfectly safe, yet can secretly deploy malware on a developer's device - all without triggering any red flags. Researchers have demonstrated just how easily this can happen, using an AI coding agent to run a malicious payload hidden in a seemingly clean project.

Analyst 207
Person sits in quiet room with smartphone, papers, and blurred laptop screen, conveying cautious atmosphere.

FBI Warns of Russian Hackers Targeting Signal Backup Keys

Stay vigilant, as Russian hackers are now targeting Signal backup keys in an evolved phishing campaign, attempting to gain access to your historical message backups by tricking you into revealing these sensitive keys. Be cautious of messages masquerading as automated support accounts, as they may be part of this sinister plot.

Analyst 207
Smartphone with Signal app open on screen in a public setting.

FBI Warns of Russian Hackers Targeting Signal with Recovery Key Phishing

Beware of scammers posing as Signal support - the FBI and CISA warn that Russian hackers are using recovery key phishing to target users, so treat any in-app message from Signal support with extreme caution. Stay safe by being vigilant about unexpected messages.

Analyst 207