A newly discovered threat is turning a built-in Microsoft feature into a powerful spying tool. Security researchers have found a remote access tool called CloudZ that works alongside a custom plugin named Pheno to silently intercept SMS messages and one-time passwords (OTPs) from mobile phones, all without ever touching the phone itself. The attack exploits a legitimate Windows application that millions of users rely on daily.
What makes this campaign especially striking is its approach. Rather than deploying malware directly onto a victim’s phone, the attacker hijacks the connection between a Windows PC and a paired smartphone.
When a user has the Microsoft Phone Link application active, it creates a bridge that mirrors phone notifications, messages, and call logs onto the computer.
CloudZ and its Pheno plugin exploit that bridge to access sensitive data that was never meant to leave the phone.
Analysts at Cisco Talos identified the intrusion as active since at least January 2026, noting that an unknown attacker had deployed the CloudZ RAT and the previously undocumented Pheno plugin onto victim machines.
Talos researchers described the campaign as designed to steal login credentials and intercept OTPs, the short numeric codes used to confirm identity during two-step logins.
The infection chain begins with what looks like a fake update for a remote support tool called ScreenConnect. Once the victim runs this file, it drops a .NET loader that clears several security checks before deploying the CloudZ RAT.
From that point, the attacker has a full toolkit to explore the victim’s machine, steal browser data, and activate the Pheno plugin.
CloudZ goes to great lengths to avoid detection. It checks whether it is running in a test environment by monitoring timing patterns and scanning for analysis tools like Wireshark, Fiddler, Procmon, and Sysmon.
It also generates its most sensitive functions on the fly in memory, making them harder to catch or reverse-engineer.
How CloudZ Abuses Microsoft Phone Link to Steal OTPs
The Pheno plugin is the most novel piece of this attack chain. Once deployed, it scans all running processes for keywords tied to the Phone Link application, including “YourPhone,” “PhoneExperienceHost,” and “Link to Windows.”
If matching processes are found, Pheno logs their process IDs and file paths to a staging file named after the victim’s computer.
Pheno then searches that staging file for the word “proxy,” which signals that Phone Link is actively routing traffic between the PC and the phone.
If that connection is confirmed, the plugin writes “Maybe connected” to its output file, alerting the attacker through CloudZ that conditions are right to intercept mobile data.
From there, CloudZ can access the Phone Link application’s local SQLite database, a file named “PhoneExperiences-*.db,” which stores synchronized SMS messages, call logs, and app notifications.
That database can contain OTP codes sent by banks and email providers, meaning the attacker could bypass two-factor security without needing the victim’s physical device.
Persistence Mechanisms and Command Structure
CloudZ is built to survive on victim machines as long as possible. The Rust-compiled dropper installs a scheduled task named “SystemWindowsApis” that runs at system startup under the SYSTEM account, ensuring the malware restarts after every reboot.
It uses the legitimate Windows utility regasm.exe as a living-off-the-land binary to execute the payload, helping it blend in with normal system activity.
To avoid network-level detection, CloudZ rotates between three browser-style user-agent strings with every request, mimicking standard Firefox, Safari, and Chrome traffic.
It stores its command-and-control server address on external platforms, pulling the IP address from Pastebin pages under the account name “HELLOHIALL,” which makes blocking it through standard filters more difficult.
Cisco Talos has released ClamAV signatures and Snort rules to help detect and block this threat. Organizations are encouraged to monitor for unexpected Phone Link activity on endpoints, restrict remote access tools to trusted sources only, and ensure security tools actively flag living-off-the-land binaries like regasm.exe used outside their normal context. Disabling Phone Link on machines where it is not needed can reduce exposure significantly.
IoCs:-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 185[.]196[.]10[.]136 | CloudZ C2 server IP address, communicating over port 8089 via TCP |
| URL | hxxps[://]round-cherry-4418[.]hellohiall[.]workers[.]dev | Secondary C2 configuration staging URL |
| URL | https[://]pastebin[.]com/raw/8pYAgF0Z | Pastebin-hosted secondary C2 configuration data |
| URL | hxxps[://]calm-wi[…] | Attacker-controlled staging server used to deliver .NET loader |
| URL | hxxps[://]orange-cell-1353[.]hellohiall[…] | Staging server URL used to deliver Pheno plugin (pheno.exe) |
| File Name | systemupdates.exe / Windows-interactive-update.exe | Rust-compiled dropper disguised as system update |
| File Name | update.txt / msupdate.txt | Embedded .NET loader disguised as text file |
| File Name | pheno.exe | Pheno reconnaissance plugin dropped in C:WindowsTEMP |
| File Path | C:ProgramDataMicrosoftwindosDoc | Staging folder used to store the dropped .NET loader |
| File Path | C:ProgramDataMicrosoftwhealth | Staging directory for saved plugins |
| File Path | C:programdataMicrosoftfeedbackcm | Pheno plugin output folder for Phone Link reconnaissance data |
| Scheduled Task | SystemWindowsApis | Persistence task created under MicrosoftWindows at system startup |
| Pastebin Account | HELLOHIALL | Attacker-controlled Pastebin account hosting secondary C2 configuration |
| PDB String | rustextractor.pdb | Developer string found in the Rust-compiled dropper binary |
| ClamAV Signature | Win.Packed.Msilheracles-10030690-0 | ClamAV detection signature for the packed loader |
| ClamAV Signature | Win.Trojan.CloudZRAT-10059935-0 | ClamAV detection signature for CloudZ RAT |
| ClamAV Signature | Win.Trojan.CloudZRAT-10059959-0 | ClamAV detection signature for CloudZ RAT variant |
| Snort Rule (SID) | 66409, 66410, 66408 (Snort 2) | Snort 2 rules detecting and blocking CloudZ traffic |
| Snort Rule (SID) | 301492, 66408 (Snort 3) | Snort 3 rules detecting and blocking CloudZ traffic |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
