Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs

Source: The Hacker News

Overview

Cybersecurity researchers have disclosed details of an intrusion that leveraged the CloudZ remote access tool (RAT) together with an undocumented plugin named Pheno. The goal of the attack was to steal victims’ credentials and potentially one‑time passwords (OTPs) by abusing the Microsoft Phone Link application.

According to Cisco Talos researchers Alex Karkins and Chetan Raghuprasad, the CloudZ RAT and Pheno plugin were specifically designed to hijack the PC‑to‑phone bridge provided by Phone Link, allowing the attacker to monitor active Phone Link processes and intercept sensitive mobile data such as SMS and OTPs without installing malware on the phone itself.

Phone Link Functionality

Phone Link (built into Windows 10 and Windows 11) enables users to pair their computer with an Android device or iPhone over Wi‑Fi and Bluetooth. Once paired, users can:

• Make and receive phone calls
• Send and receive messages
• Dismiss notifications
• Access other phone data synchronized to the PC

The legitimate cross‑device syncing features, however, create an unintended attack surface that can be exploited for credential theft and bypassing two‑factor authentication.

Attack Details

Initial Access and Persistence

• An as‑yet‑undetermined initial access method was used to drop a fake ConnectWise ScreenConnect executable.
• The fake executable downloaded and executed a .NET loader.
• An embedded PowerShell script created a scheduled task to run the malicious .NET loader, establishing persistence.

Loader and Trojan Deployment

• The intermediate loader performed hardware and environment checks to evade detection.
• It then deployed the modular CloudZ trojan on the compromised machine.
• The trojan decrypted an embedded configuration, opened an encrypted socket to the C2 server, and awaited Base64‑encoded commands for credential exfiltration and plugin deployment.

Pheno Plugin Operation

The Pheno plugin performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the gathered data to an output file in a staging folder. CloudZ reads this data from the staging folder and forwards it to the C2 server.

Data Extraction

The attackers accessed the SQLite database used by Phone Link to store synchronized phone data, enabling them to retrieve SMS messages, OTPs, and other sensitive information without compromising the mobile device itself.

CloudZ Command Set

The following commands are supported by the CloudZ trojan:

• pong – Send heartbeat response
• PING! – Issue heartbeat request
• CLOSE – Terminate the trojan process
• INFO – Collect system metadata
• RunShell – Execute a shell command
• BrowserSearch – Exfiltrate web browser data
• GetWidgetLog – Exfiltrate Phone Link logs and data
• plugin – Load a plugin
• savePlugin – Save a plugin to disk (C:\ProgramData\Microsoft\whealth\)
• sendPlugin – Upload a plugin to the C2 server
• RemovePlugins – Remove all deployed plugin modules
• Recovery – Enable recovery or reconnection
• DW – Conduct download and file‑write operations
• FM – Conduct file‑management operations
• Msg – Send a message to the C2 server
• Error – Report errors to the C2 server
• rec – Record the screen

Visual Illustration

Conclusion

The intrusion demonstrates how legitimate cross‑device synchronization features can be weaponized to create new pathways for credential theft and bypass two‑factor authentication. By exploiting the Phone Link application, attackers can harvest sensitive mobile data without needing to compromise the phone itself. The activity has been observed since at least January 2026 and has not yet been attributed to any known threat actor or group.