Cisco Talos has detailed CloudZ malware, a remote access trojan campaign that uses a Pheno plugin to target Microsoft Phone Link data on infected Windows PCs [1]. The notable idea is not just “malware steals codes.” It is that the attacker may not need to infect the phone at all. If the Windows PC is compromised and Phone Link is syncing messages or notifications, the PC can become a second-factor collection point. The phone-trust problem is also visible in newer Android banking malware such as TrickMo.C, which can turn an infected handset into a proxy node instead of only intercepting messages.
Talos says the campaign has been active since at least January 2026 and starts with a fake ScreenConnect update lure before installing CloudZ. Once present, CloudZ can collect credentials, execute commands, and use Pheno to watch for Phone Link activity. Talos also published indicators for defenders who need to hunt related files, domains, and hashes [2].
Why Phone Link changes the threat model
Microsoft Phone Link lets users handle messages, calls, photos, notifications, and other phone-connected tasks from a Windows PC [3]. Talos reports that Phone Link writes synchronized phone data such as SMS messages, call logs, and notification history into a local SQLite database, including files matching patterns such as PhoneExperiences-*.db [1]. Pheno looks for that bridge and can potentially intercept the local database where OTP messages or authenticator notifications appear.
That changes the normal MFA assumption. SMS OTPs are already weaker than phishing-resistant methods, but this campaign highlights a more specific failure mode: the “second factor” may be mirrored into the same Windows session that the RAT controls. A user might believe the phone remains separate while the attacker is actually reading the phone-derived data from the infected PC.
For a practical review, split the investigation into three questions. First, was Phone Link paired on the infected machine, and was it used for messages or notifications? Second, are CloudZ/Pheno indicators present, including Talos-published hashes, domains, persistence artifacts, or suspicious ScreenConnect-themed delivery? Third, did the same Windows session handle high-value logins, banking portals, admin consoles, or password resets that relied on SMS or notification-based approval?
This is where the response differs from generic malware cleanup. Removing the RAT is not enough if the machine had access to mirrored OTPs. Review Phone Link pairing on both the PC and the phone, remove unneeded pairings, rotate credentials used during the exposure window, invalidate active sessions for high-value accounts, and move sensitive accounts away from SMS codes that appear in the same desktop environment. For broader context, Gridinsoft’s guides on remote access trojans and infostealer detection and removal explain why credential theft and remote control often need to be handled together.
The article’s practical lesson is narrow and useful: Phone Link should be treated as sensitive data plumbing on machines used for admin, finance, or account recovery work. If a Windows PC is not trusted enough to hold passwords, it is also not trusted enough to mirror SMS OTPs and authentication notifications.
References
- Cisco Talos, CloudZ RAT potentially steals OTP messages using Pheno plugin, May 5, 2026. Report.
- Cisco Talos IOCs, cloudz-pheno-infostealer.txt, May 2026. IOCs.
- Microsoft Support, Phone Link & cross-device experiences. Product page.
