CloudZ RAT hijacks Windows Phone Link to steal OTPs

Cisco Talos researchers Alex Karkins and Chetan Raghuprasad reported that since at least January 2026 unknown actors have used the CloudZ remote access trojan together with a previously undocumented plugin called Pheno to target Microsoft’s Phone Link feature on Windows 10 and Windows 11. The activity has not been tied to a known threat group.

Phone Link pairs a PC with an Android device or iPhone over Wi‑Fi and Bluetooth to sync calls, messages and notifications. Talos found attackers focused on the PC side of that connection, where synchronized mobile data is stored locally in an SQLite database file.

The intrusion chain began with an unclear initial access method. Operators deployed a fake ConnectWise ScreenConnect executable that launched a .NET loader. An embedded PowerShell script created persistence by scheduling the loader to run on a timer. The intermediate loader ran hardware and environment checks before installing the modular CloudZ trojan.

Once active, CloudZ decrypts an embedded configuration, opens an encrypted socket to a command-and-control server and waits for Base64-encoded instructions. The malware can perform system reconnaissance, run shell commands, exfiltrate browser data and manage additional plugins.

Talos described the Pheno plugin as a component that targets the Phone Link workflow. Pheno watches for active Phone Link processes, gathers data about the application and writes that output to a staging folder on disk. “The plugin performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the reconnaissance data to an output file in a staging folder,” Talos wrote. Researchers identified the staging path used by the malware as C:\ProgramData\Microsoft\whealth\.

CloudZ reads the Phone Link output from the staging folder and forwards it to the operator’s C2 server. Because Phone Link stores synced messages and notifications in an SQLite database on the PC, the combined use of Pheno and CloudZ allowed operators to extract SMS messages and one-time passwords without installing malware on the paired mobile device.

Observed CloudZ commands include heartbeat and termination functions, system metadata collection, remote shell execution, web browser data exfiltration, specific actions for handling Phone Link logs, plugin load/save/upload and removal, file download and write operations, file management, messaging to C2, error reporting and screen recording.

Talos did not publish an attribution for the campaign or detail the initial access vector used to start the chain. The report describes a method that leverages a legitimate cross-device sync feature to access data stored on the PC side of a paired connection.