{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Phone Link","Windows 10","Windows 11"],"_cs_severities":["high"],"_cs_tags":["cloudz","malware","rat","microsoft-phone-link","credential-theft","otp","sms"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eA new variant of the CloudZ remote access tool (RAT) has been observed deploying a novel plugin named Pheno. This plugin specifically targets the Microsoft Phone Link application, pre-installed on Windows 10 and 11, to intercept SMS messages and one-time passwords (OTPs) from connected mobile devices (Android and iOS). The observed intrusion campaign began in January 2026, with researchers assessing that the primary goal of the threat actor is to steal credentials and temporary passcodes. The attacker leverages the Phone Link application\u0026rsquo;s SQLite database, which stores SMS messages and potentially authenticator application notifications, to gain access to sensitive information without directly compromising the mobile device. The CloudZ RAT also uses rotating user-agent strings and anti-caching headers to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim executes a fake ScreenConnect update.\u003c/li\u003e\n\u003cli\u003eA Rust-based loader is dropped onto the system.\u003c/li\u003e\n\u003cli\u003eA .NET loader is deployed, which contains anti-analysis checks (time-based sandbox evasion, Wireshark, Fiddler, Procmon, Sysmon).\u003c/li\u003e\n\u003cli\u003eThe .NET loader installs the CloudZ RAT.\u003c/li\u003e\n\u003cli\u003ePersistence is established via a scheduled task.\u003c/li\u003e\n\u003cli\u003eThe Pheno plugin monitors for active Microsoft Phone Link sessions.\u003c/li\u003e\n\u003cli\u003ePheno accesses the local SQLite database of the Phone Link application.\u003c/li\u003e\n\u003cli\u003eSMS messages and one-time passwords (OTPs) are stolen from the database, granting the attacker access to sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass SMS-based multi-factor authentication (MFA) and gain unauthorized access to protected accounts and systems. The impact can include financial fraud, data theft, and further compromise of the victim\u0026rsquo;s digital assets. While the exact number of victims remains unknown, the targeted theft of credentials and OTPs suggests a broad campaign aimed at a wide range of individuals and organizations. The sectors targeted are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for execution of processes originating from temporary directories, as this is often where the initial loader may execute from. Deploy the Sigma rule \u003ccode\u003eDetect CloudZ RAT Loader Execution from Temp Directory\u003c/code\u003e to identify this behavior.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect suspicious HTTP traffic from infected hosts. Pay attention to rotating user-agent strings and the presence of anti-caching headers.\u003c/li\u003e\n\u003cli\u003eConsider disabling or restricting the use of Microsoft Phone Link in enterprise environments where SMS-based OTPs are used.\u003c/li\u003e\n\u003cli\u003eEncourage users to switch to authenticator apps that do not rely on SMS or push notifications and to adopt phishing-resistant MFA solutions like hardware security keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T10:03:52Z","date_published":"2026-05-05T10:03:52Z","id":"/briefs/2026-05-cloudz-pheno/","summary":"A new version of the CloudZ RAT utilizes the Pheno plugin to hijack Microsoft Phone Link connections, enabling the theft of SMS messages and one-time passwords (OTPs) from victims' mobile devices.","title":"CloudZ RAT Abuses Microsoft Phone Link to Steal SMS and OTPs","url":"https://feed.craftedsignal.io/briefs/2026-05-cloudz-pheno/"}],"language":"en","title":"CraftedSignal Threat Feed — Sms","version":"https://jsonfeed.org/version/1.1"}