CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs

Published:

5 mei 2026 om 10:03:52

Alert date:

5 mei 2026 om 11:01:03

Source:

bleepingcomputer.com

Ransomware & Malware, Operating Systems, Mobile & IoT

A new version of the CloudZ remote access tool (RAT) has been discovered deploying a previously unseen malicious plugin called Pheno. This plugin specifically targets and hijacks Microsoft Phone Link connections to steal sensitive information from mobile devices. The malware is capable of intercepting SMS messages and one-time passwords (OTPs), representing a significant threat to multi-factor authentication security. The attack methodology demonstrates an evolution in RAT capabilities, exploiting legitimate Microsoft services for malicious purposes. This represents an active threat to users who rely on SMS-based two-factor authentication.

Technical details

CloudZ RAT deploys a new malicious plugin called Pheno that hijacks Microsoft Phone Link connections to steal SMS and OTPs. Pheno monitors for active Phone Link sessions and accesses the local SQLite database containing SMS and one-time passwords. The infection chain begins with a fake ScreenConnect update that drops a Rust-based loader, followed by a .NET loader that installs CloudZ RAT and establishes persistence via scheduled tasks. The .NET loader includes anti-analysis checks such as time-based sandbox evasion, detection of analysis tools (Wireshark, Fiddler, Procmon, Sysmon), and VM/sandbox string checks. CloudZ rotates between three hardcoded user-agent strings and includes anti-caching headers to make HTTP traffic appear legitimate.

Mitigation steps:

Avoid SMS-based OTP services and use authenticator apps that do not require push notifications. For more sensitive information, switch to phishing-resistant solutions such as hardware keys. Use the indicators of compromise published by Cisco Talos to protect environments.

Affected products:

Microsoft Phone Link
Windows 10
Windows 11
ScreenConnect
Android devices
iOS devices