CloudZ RAT Exploits Microsoft Phone Link to Steal OTPs and SMS Messages

Severity: High (Score: 72.5)

Sources: Csoonline, Blog.Talosintelligence, Bleepingcomputer

Summary

The CloudZ remote access tool (RAT) has been observed using a new plugin called Pheno to hijack Microsoft Phone Link connections, allowing attackers to steal SMS messages and one-time passwords (OTPs). This intrusion has been active since at least January 2026, targeting users of Windows 10 and 11. Attackers deploy a fake ScreenConnect update that drops a Rust-based loader, which then installs the CloudZ RAT and its Pheno plugin. The Pheno plugin monitors active Phone Link sessions and accesses the SQLite database containing sensitive information without needing to compromise the mobile device. Cisco Talos researchers have not yet identified the initial access vector but have published indicators of compromise (IOCs) to assist defenders. Users are advised to avoid SMS-based OTP services and consider using hardware keys for better security. The threat remains significant as it targets sensitive user data through a widely used application. Key Points: • CloudZ RAT uses Pheno plugin to intercept SMS and OTPs via Microsoft Phone Link. • Attackers deploy a fake ScreenConnect update to install the malicious software. • Cisco Talos has published IOCs to help organizations defend against this threat.

Key Entities

• Malware (attack_type)
• microsoft.net (domain)
• CloudZ (malware)
• CloudZ RAT (malware)
• T1003 - OS Credential Dumping (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• Android (platform)
• IOS (platform)
• IPhone (platform)
• Microsoft Phone Link (platform)
• Windows (platform)
• Bitsadmin (tool)
• Curl (tool)
• Fiddler (tool)
• PowerShell (tool)
• Procmon (tool)