CloudZ RAT Abuses Microsoft Phone Link to Steal SMS and OTPs

hello@craftedsignal.io — Tue, 05 May 2026 10:03:52 +0000

A new variant of the CloudZ remote access tool (RAT) has been observed deploying a novel plugin named Pheno. This plugin specifically targets the Microsoft Phone Link application, pre-installed on Windows 10 and 11, to intercept SMS messages and one-time passwords (OTPs) from connected mobile devices (Android and iOS). The observed intrusion campaign began in January 2026, with researchers assessing that the primary goal of the threat actor is to steal credentials and temporary passcodes. The attacker leverages the Phone Link application’s SQLite database, which stores SMS messages and potentially authenticator application notifications, to gain access to sensitive information without directly compromising the mobile device. The CloudZ RAT also uses rotating user-agent strings and anti-caching headers to evade detection.

Attack Chain

The victim executes a fake ScreenConnect update.
A Rust-based loader is dropped onto the system.
A .NET loader is deployed, which contains anti-analysis checks (time-based sandbox evasion, Wireshark, Fiddler, Procmon, Sysmon).
The .NET loader installs the CloudZ RAT.
Persistence is established via a scheduled task.
The Pheno plugin monitors for active Microsoft Phone Link sessions.
Pheno accesses the local SQLite database of the Phone Link application.
SMS messages and one-time passwords (OTPs) are stolen from the database, granting the attacker access to sensitive information.

Impact

Successful exploitation allows attackers to bypass SMS-based multi-factor authentication (MFA) and gain unauthorized access to protected accounts and systems. The impact can include financial fraud, data theft, and further compromise of the victim’s digital assets. While the exact number of victims remains unknown, the targeted theft of credentials and OTPs suggests a broad campaign aimed at a wide range of individuals and organizations. The sectors targeted are currently unknown.

Recommendation

Monitor process creation events for execution of processes originating from temporary directories, as this is often where the initial loader may execute from. Deploy the Sigma rule Detect CloudZ RAT Loader Execution from Temp Directory to identify this behavior.
Implement network monitoring to detect suspicious HTTP traffic from infected hosts. Pay attention to rotating user-agent strings and the presence of anti-caching headers.
Consider disabling or restricting the use of Microsoft Phone Link in enterprise environments where SMS-based OTPs are used.
Encourage users to switch to authenticator apps that do not rely on SMS or push notifications and to adopt phishing-resistant MFA solutions like hardware security keys.

CloudZ RAT Abusing Windows Phone Link to Steal OTPs

hello@craftedsignal.io — Tue, 05 May 2026 10:01:07 +0000

Cisco Talos discovered an intrusion campaign, active since at least January 2026, involving the deployment of the CloudZ RAT and a novel plugin named “Pheno”. The attackers are leveraging these tools to steal credentials and potentially one-time passwords (OTPs) by abusing the Microsoft Phone Link application in Windows. CloudZ utilizes the Pheno plugin to monitor and hijack the PC-to-phone bridge established by Phone Link. This allows the attacker to scan for active Phone Link processes and intercept sensitive mobile data, such as SMS messages and OTPs, without directly infecting the mobile device. The CloudZ RAT also employs various anti-analysis techniques, including dynamic execution of critical functions in memory and checks to evade debuggers and sandbox environments.

Attack Chain

The attack begins with an unknown initial access vector, leading to the execution of a fake ScreenConnect application update.
This malicious executable drops and executes an intermediate .NET loader executable.
The .NET loader decrypts and deploys the modular CloudZ RAT onto the victim’s machine.
Upon execution, the CloudZ RAT decrypts its configuration data and establishes an encrypted connection to its command-and-control (C2) server.
CloudZ exfiltrates credentials from the victim’s machine browser data and downloads and implants the Pheno plugin.
The Pheno plugin performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes reconnaissance data to an output file.
CloudZ reads the Phone Link application data from the staging folder.
CloudZ sends the exfiltrated credentials, along with the data obtained from the Phone Link application, to the C2 server, potentially compromising SMS-based OTP messages and other authenticator application notification messages.

Impact

This campaign poses a significant threat to users of the Microsoft Phone Link application, potentially exposing sensitive information, including SMS-based OTPs, to unauthorized access. Successful exploitation can lead to account compromise, financial fraud, and other malicious activities. The number of victims and specific sectors targeted are currently unknown, but the potential for widespread impact is considerable given the prevalence of Windows 10 and 11 and the use of OTPs for multi-factor authentication.

Recommendation

Monitor process creation events for execution of regasm.exe with command-line arguments pointing to unusual locations, especially within the C:\ProgramData directory, using the Sigma rule “Detect Suspicious RegAsm Execution for Persistence”.
Detect connections to the known malicious URL hxxps[://]calm-wildflower-1349[.]hellohiall[.]workers[.]dev at the network level or endpoint using a network connection monitoring tool or web proxy.
Enable process monitoring and file access auditing for the Microsoft Phone Link application database files (e.g., “PhoneExperiences-*.db”) to detect unauthorized access or modification by suspicious processes.

Otp — CraftedSignal Threat Feed

CloudZ RAT Abuses Microsoft Phone Link to Steal SMS and OTPs

Attack Chain

Impact

Recommendation

CloudZ RAT Abusing Windows Phone Link to Steal OTPs

Attack Chain

Impact

Recommendation