CloudZ RAT Spies on SMS via Windows Phone Link

A new hacking campaign is targeting Microsoft's "Phone Link" app to intercept sensitive mobile data such as SMS messages and one-time passwords (OTPs). Your smartphone doesn't even need to be compromised, as the attackers are operating from your Windows machine.

The duo: CloudZ RAT and its Pheno plugin

A new report published by Cisco Talos researchers describes this campaign, which has been active since at least January 2026. The attack revolves around two components:

• CloudZ RAT, a malicious toolkit,
• Pheno, a previously unknown plugin.

With this tooling, cybercriminals can monitor and collect data synchronized between your PC and your smartphone, by directly targeting Windows. Of course, synchronization between your devices must already be enabled. More specifically, the Phone Link app (which has already been renamed several times) must be configured.

This app, which syncs a smartphone with a Windows PC over Wi-Fi and Bluetooth, stores data locally in SQLite databases. By monitoring the corresponding files (PhoneExperiences-*.db), attackers can obtain information about SMS messages, notifications, and call logs.

If the malware detects processes related to this app, CloudZ RAT attempts to capture and exfiltrate data from the local databases. This technique is especially effective for bypassing multi-factor authentication, because the attacker can get hold of:

• SMS messages that may contain codes (if this method is used),
• OTP codes generated by authentication apps.

"Talos discovered that CloudZ, a modular RAT, is being used as the payload in the ongoing intrusion. CloudZ is a .NET executable compiled on January 13, 2026 and obfuscated using the ConfuserEx tool.", the report states.

The initial infection vector

To compromise machines and gain initial access, the Cisco Talos team points to the use of a malicious file posing as an update for the ScreenConnect tool. "This malicious executable drops and runs an intermediate .NET loader, which then deploys the modular CloudZ malware on the victim's computer.", the report says.

CloudZ communicates with the attackers' command-and-control infrastructure (C2 server) over encrypted TCP connections and retrieves additional configuration data by relying on external services such as Pastebin.

To ensure persistence on the infected system, the attackers rely on two key elements:

• The creation of a scheduled task named SystemWindowsApis.
• Execution of their malicious code through the legitimate Windows utility regasm.exe.

In short: avoid using the Phone Link app on Windows. It's convenient (when it works), but it also provides access to your smartphone's data. The attackers clearly understood that; this is the proof. Otherwise, prefer using hardware tokens or notification-based methods rather than codes.

Florian Burnel Co-founder of IT-Connect

Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

See Full Bio