A sophisticated malware toolkit designed for Windows has recently been identified as a significant threat, capable of stealing SMS messages and one-time passwords (OTPs) by exploiting Microsoft’s Phone Link application. This technique allows the malware to circumvent direct compromise of a target’s mobile device, presenting a new wave of cyber risks to users everywhere.
According to new research from Cisco Talos, this malicious activity has been recorded since at least January 2026. At the core of this operation are two primary tools: a remote access tool (RAT) known as CloudZ, and an undocumented plugin labeled Pheno. Together, these tools are engineered to gather user credentials and intercept authentication codes that are synced from a paired smartphone, effectively creating a virtual bridge between the mobile device and the victim’s computer.
### The Role of Phone Link
Microsoft’s Phone Link, previously titled Your Phone, serves as a built-in feature for Windows 10 and 11. It allows users to mirror notifications, SMS messages, and call logs from their smartphones directly onto their desktops via Wi-Fi and Bluetooth connections. The synchronization process utilizes local SQLite database files on the PC, specifically one identified as PhoneExperiences-*.db. This architecture grants cybercriminals the opportunity to capture sensitive mobile content from the computer, effectively allowing them to access mobile communications without ever needing to physically interact with the targeted smartphone.
The Pheno plugin operates by actively scanning all running processes for specific keywords associated with Phone Link, such as “YourPhone” and “Link to Windows.” Upon detecting a match, Pheno logs the details of these processes into designated staging folders. It subsequently analyses the output for the term “proxy,” which serves as an indicator of a current relay session linked to Phone Link. If the plugin validates an active session, it categorizes the system as “Maybe connected,” thereby flagging it for subsequent data collection activities executed by the threat operator.
### Memory-Resident Execution and Anti-Analysis Techniques
The infection chain observed in this campaign initiates with the execution of a counterfeit ScreenConnect update. The exact method for this initial access remains unclear, but the operational complexity is evident. The malware employs a Rust-compiled loader with filenames such as systemupdates.exe, which subsequently drops a .NET loader disguised as a text file. This sequence ultimately leads to the deployment of CloudZ through the legitimate regasm.exe binary, designed to launch at system startup within the SYSTEM account, thereby maximizing its intrusion capability.
CloudZ itself is a .NET executable that has undergone obfuscation with a tool called ConfuserEx. It was compiled in mid-January 2026. Cisco Talos has noted that this malware incorporates various layers of anti-analysis mechanisms. These include timing-based sleep checks and enumerations of well-known security tools like Wireshark and Sysmon. The malware also conducts searches aimed at detecting indicators of virtual machines, further reinforcing its evasion techniques.
Once operational, the RAT can pull secondary configurations from staging servers controlled by the attackers or from public Pastebin pages. It cleverly rotates through three hardcoded user-agent strings to obscure its HTTP traffic amongst legitimate browser activities. This enables the malware to execute a wide range of commands, from credential exfiltration to loading additional plugins and even screen recording operations.
What makes this malware particularly alarming is its ability to shift the risk landscape for SMS-based multi-factor authentication (MFA). By transferring the threat surface from the mobile device to an enterprise-managed Windows endpoint, it effectively undermines security protocols that are specifically focused on safeguarding mobile devices.
In response to this emerging threat, Cisco Talos has released indicators of compromise (IOCs) and ClamAV signatures to empower cybersecurity defenders in identifying and blocking this malicious activity. As organizations continue to navigate the complexities of digital security, the battle between cybersecurity measures and sophisticated malware tools remains a critical concern in the modern tech landscape.