A recently discovered malware campaign is leveraging Microsoft’s Phone Link feature to steal SMS-based one-time passwords (OTPs) and other sensitive mobile data directly from Windows PCs.
Discovered by Cisco Talos in January 2026, the campaign uses a remote access trojan (RAT) called CloudZ alongside a custom plugin named Pheno. This combination allows hackers to collect login details and potentially intercept authentication codes synced from a user’s phone, according to researchers Alex Karkins and Chetan Raghuprasad in a blog post.
The goal, as outlined by the researchers, was to steal victim credentials and gain access to OTPs. Notably, the attack doesn’t compromise the mobile device. Instead, it exploits the connection between phones and Windows PCs by watching data mirrored via the Phone Link app.
By misusing Microsoft’s Phone Link, the Pheno plugin can hijack the existing bridge between a PC and phone. This enables it to constantly look for active Phone Link processes and possibly intercept private mobile information like text messages and OTPs, all without needing to install malware on the mobile device itself.
This method avoids having to hack into the mobile device, a technique the researchers highlighted as particularly concerning for corporate security teams. It joins a growing set of attacker methods designed to bypass SMS or app-based multi-factor authentication (MFA) by pulling codes from already compromised Windows machines where phone data is synced.
Microsoft has not yet commented on the findings.
Phone Link data becomes an attack surface
Microsoft Phone Link, formerly called Your Phone, is a built-in Windows tool that links a PC to a smartphone, showing messages, calls, and notifications on the desktop.
The Pheno plugin is built to find the Phone Link data saved locally on a Windows computer. As stated in a security advisory, attackers using CloudZ can potentially access the app’s SQLite database file on an infected machine, which may expose OTP messages and other authenticator app notifications.
Because this information is stored on the PC, the risk shifts from mobile devices to company-managed Windows systems, potentially getting around security measures aimed at protecting phones.
Multi-stage infection chain
The attack begins with an unclear initial entry point, followed by running a malicious file pretending to be a screenConnect update.
The first payload is a Rust-compiled loader with names like “systemupdates.exe.” This drops a .NET loader disguised as a text file into a system folder. Attackers create persistence by scheduling a task called “SystemWindowsApis” that starts up with high privileges using the legitimate regasm.exe tool.
Before unpacking CloudZ, the .NET loader runs checks to avoid analysis. It looks for security software and sandbox settings before running the malware in memory. The loader measures how long a sleep command takes to detect if it’s in a testing environment and checks for programs like Wireshark, Fiddler, Procmon, and Sysmon. If any are found, the .NET loader stops running.
Once those checks pass, the CloudZ payload is decrypted in memory and launched.
RAT enables credential theft and plugin delivery
CloudZ sets up an encrypted link to a command-and-control (C2) server. It carries out various tasks, such as stealing credentials, handling files, and running remote commands, as detailed by Talos.
The malware also pulls extra setup data from servers controlled by the attackers. It retrieves C2 server IP addresses and port numbers, linking to them through TCP sockets. To avoid detection, it switches user-agent strings to mimic regular web browsing activity.
Pheno plugin monitors active device sync
The Pheno plugin’s job is to spot active Phone Link sessions and enable data interception.
It scans running processes for terms like ‘YourPhone,’ ‘PhoneExperienceHost,’ or ‘Link to Windows,’ noting its findings locally. Next, the plugin checks for signs of a proxy connection that Phone Link uses to pass data between devices.
The presence of ‘proxy’ signals that the Phone Link session is actively passing data. When this happens, the plugin marks the system as connected. This ultimately allows the attacker to potentially watch for SMS alerts or OTP requests that pop up in the Phone Link app.
Talos has shared detection rules and indicators of compromise (IoCs), including malware hashes, command-and-control infrastructure details, and Snort rules tied to this activity.
Cisco Talos has not linked these actions to any known hacking group.
