CloudZ RAT Exploits Microsoft Phone Link to Steal Your OTPs — Without Ever Touching Your Phone

How CloudZ RAT Exploits Microsoft Phone Link

A remote access trojan called CloudZ, paired with a custom plugin named Pheno, is silently stealing one-time passwords and SMS messages from Windows PCs — and it never needs to touch your phone. The attack, first observed by Cisco Talos in January 2026, exploits the trust relationship between your smartphone and your Windows PC through Microsoft’s Phone Link application.

Microsoft Phone Link (formerly Your Phone) is a built-in Windows feature that mirrors your phone’s notifications, messages, photos, and calls to your PC. It’s convenient. It’s popular. And now it’s being weaponized by threat actors who realized they don’t need to compromise your phone when they can simply read everything your phone sends to your computer.

The attack is particularly insidious because traditional security measures focused on mobile device protection are completely bypassed. Your phone remains clean, uncompromised, and showing no signs of infection. The malware lives entirely on your Windows PC.

The Pheno Plugin: Purpose-Built OTP Harvester

CloudZ itself is a full-featured remote access trojan with standard capabilities — file manipulation, shell command execution, screen recording, and keylogging. But it’s the custom Pheno plugin that makes this campaign unique.

Pheno was built with a single purpose: intercepting authentication data synced through Phone Link. Here’s how it works:

Session Monitoring. Pheno continuously monitors for active Phone Link sessions on the infected Windows machine. It watches for the Phone Link process and waits for a connected device.

Database Access. Once a Phone Link session is detected, Pheno accesses the local SQLite database that Phone Link uses to store synced data. This database contains SMS messages, notifications, and — critically — one-time passwords (OTPs) that get sent to the mobile device.

OTP Extraction. The plugin parses incoming messages in real-time, looking for patterns consistent with OTP codes, verification links, and authentication messages from services like banks, email providers, and cloud platforms.

Credential Correlation. Because CloudZ also captures keystrokes and screen content, the attackers can correlate stolen OTPs with the exact accounts they belong to. They see you type your username and password, then immediately capture the 2FA code that arrives on your phone.

Why This CloudZ Attack Matters: 2FA Is Not Enough

For years, security professionals have recommended SMS-based two-factor authentication as a critical security layer. The assumption was simple: even if an attacker steals your password, they can’t access your account without the code sent to your physical phone.

CloudZ completely breaks this assumption. By targeting the Phone Link bridge instead of the phone itself, attackers get both the password (via keylogging) and the OTP (via Pheno) from the same compromised Windows machine. The physical separation between your phone and your PC — the entire basis of SMS 2FA security — is eliminated by the very feature designed to make your life easier.

This isn’t a theoretical attack. Cisco Talos has confirmed active campaigns using this technique in the wild since at least January 2026. The threat actors behind it remain unattributed — classified only as an “unknown threat” — which suggests a sophisticated operation that has successfully maintained operational security.

The attack also affects enterprise environments disproportionately. Many organizations allow employees to use Phone Link for convenience, creating a bridge between personal mobile devices and corporate Windows machines. A single compromised corporate PC can harvest OTPs for every account the employee has linked to their phone — including corporate email, VPN access, and cloud service consoles.

Technical Deep Dive: CloudZ RAT Capabilities

Beyond the Pheno plugin, CloudZ comes packed with a comprehensive set of remote access capabilities that make it a formidable threat on its own:

File System Operations. Full read, write, delete, and upload capabilities across the infected system. Attackers can deploy additional tools, exfiltrate documents, or plant evidence.

Shell Command Execution. Remote shell access allows attackers to run arbitrary commands on the infected machine, enabling lateral movement within corporate networks.

Screen Recording. CloudZ can record the screen in real-time, capturing everything the user sees — including sensitive information displayed on screen that might not be captured by keylogging alone.

Credential Harvesting. Beyond OTPs, CloudZ harvests stored credentials from browsers, email clients, and other applications. Combined with the OTPs from Pheno, this gives attackers a complete picture of the victim’s authentication landscape.

Persistence Mechanisms. The RAT establishes multiple persistence mechanisms to survive reboots, including registry modifications, scheduled tasks, and DLL side-loading techniques that evade common antivirus solutions.

Who Is Being Targeted?

While Cisco Talos hasn’t disclosed specific victim organizations, the targeting pattern suggests a focus on enterprise environments where Phone Link usage is common. The sophistication of the Pheno plugin — purpose-built for OTP interception — indicates that the threat actors are specifically interested in bypassing multi-factor authentication to access high-value accounts.

Industries that rely heavily on SMS-based 2FA and have employees using Phone Link on corporate machines are at the highest risk. This includes financial services, healthcare, government, and technology companies where access to cloud consoles, source code repositories, and internal tools is protected by MFA.

The attack is also relevant to individual users who use Phone Link on personal computers. Anyone who receives SMS-based OTPs from their bank, email provider, or social media accounts is potentially vulnerable if their Windows PC is compromised by CloudZ.

How Cisco Talos Discovered the CloudZ Attack

Cisco Talos first identified the CloudZ campaign during routine threat hunting in January 2026. What initially appeared to be a standard RAT infection turned out to be significantly more sophisticated once researchers analyzed the Pheno plugin.

The discovery was published in May 2026, after Talos completed their analysis and coordinated disclosure with Microsoft. The delay between discovery and publication allowed Talos to develop detection signatures and IoCs (Indicators of Compromise) that security teams can use to identify infections in their environments.

Microsoft has not yet issued a specific patch or mitigation for the Phone Link vulnerability. The underlying issue — that Phone Link stores synced data in a locally accessible SQLite database — is a design choice that would require significant architectural changes to address.

How to Protect Yourself Right Now

Stop using SMS-based 2FA. This is Cisco Talos’s primary recommendation. Switch to authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) that generate codes locally on your device. These codes are never transmitted over SMS and never stored in Phone Link’s database.

Use hardware security keys. For high-value accounts, FIDO2/WebAuthn hardware keys (YubiKey, Google Titan) provide the strongest protection against credential theft, including OTP interception attacks.

Disable Phone Link SMS sync. If you must use Phone Link, disable SMS message syncing in the Phone Link settings. You’ll lose the convenience of reading texts on your PC, but you’ll close the attack vector.

Monitor for CloudZ indicators. Check for unexpected processes, unusual network connections, and modifications to startup items. Cisco Talos has published detailed IoCs for the CloudZ campaign.

Segment corporate networks. If employees use Phone Link on corporate machines, ensure that those machines are segmented from critical infrastructure and that access to sensitive systems requires hardware-based MFA rather than SMS codes.

The Bigger Problem: Trusted App Bridges

CloudZ and Pheno represent a broader class of attacks targeting “bridge” applications — software that creates trusted connections between different devices or platforms. Phone Link, AirDrop, KDE Connect, and similar tools all create data pathways that bypass the security boundaries between devices.

The security community has long warned about the risks of these convenience features. The fundamental tension is clear: users want seamless data sharing between devices, and security requires that devices maintain isolation from each other. Every bridge application is a potential attack surface.

CloudZ proves that attackers are now actively targeting these bridges. And with millions of Windows users running Phone Link, the attack surface is enormous. The convenience of reading your texts on your PC has become a liability — and until Microsoft redesigns Phone Link’s data storage architecture, it will remain one.

The lesson is uncomfortable but unavoidable: convenience and security are still fundamentally at odds, and the tools we build to make our lives easier often become the tools attackers use to make our lives worse.