CloudZ RAT Exploits Microsoft Phone Link to Steal SMS OTPs
Severity: High (Score: 72.5)
Sources: Thecyberexpress, Blog.Talosintelligence, Newsbytesapp, Csoonline, Bleepingcomputer
Summary
A new malware campaign involving the CloudZ remote access trojan (RAT) and its Pheno plugin is targeting Microsoft’s Phone Link feature to intercept SMS-based one-time passwords (OTPs) and other sensitive data from Windows PCs. Discovered by Cisco Talos, the malware exploits the trust relationship between Windows systems and mobile devices without needing to compromise the mobile device itself. The attack begins with an unknown initial access vector, leading to the execution of a fake ScreenConnect application update that drops a Rust-compiled loader. This loader installs a .NET loader that deploys the CloudZ RAT, which can access the SQLite database of the Phone Link application to siphon sensitive information. The campaign has been active since at least January 2026, posing a significant risk to enterprises relying on SMS-based multi-factor authentication. Talos has provided indicators of compromise (IOCs) to help organizations defend against this threat. Key Points: • CloudZ RAT uses the Pheno plugin to exploit Microsoft Phone Link for data theft. • Attackers can intercept SMS OTPs without compromising mobile devices directly. • The malware campaign has been active since January 2026, targeting enterprise systems.
Key Entities
- Malware (attack_type)
- microsoft.net (domain)
- CloudZ (malware)
- CloudZ RAT (malware)
- Pheno (tool)
- Bitsadmin (tool)
- Curl (tool)
- Fiddler (tool)
- PowerShell (tool)
- T1003 - OS Credential Dumping (mitre_attack)
- T1041 - Exfiltration Over C2 Channel (mitre_attack)
- T1053 - Scheduled Task/Job (mitre_attack)
- T1059.001 - PowerShell (mitre_attack)
- T1071 - Application Layer Protocol (mitre_attack)
- Android (platform)
- IOS (platform)
- IPhone (platform)
- Microsoft Phone Link (platform)
- Windows (platform)