CloudZ RAT Steals Your OTPs Through Microsoft Phone Link

A new version of CloudZ RAT uses a malicious plugin called Pheno to extract sensitive data from Windows PCs by abusing Microsoft Phone Link. The campaign, discovered by Cisco Talos, has been active since at least January 2026.

The attack stands out because it does not require access to the victim’s phone. It targets the synced environment on the PC instead.

Attack targets synced messages and notifications

The Pheno plugin monitors active Phone Link sessions on infected systems and accesses the local SQLite database where messages and notifications are stored.

Attackers can extract SMS messages, one-time passwords, authenticator notifications, credentials, and other sensitive codes directly from the Windows device.

SMS-based 2FA no longer reliable in this scenario

This method breaks a common security assumption. Users may believe their phone remains secure, yet attackers can still intercept authentication codes from the synced PC.

The result is a practical bypass of SMS-based two-factor authentication, turning the Windows endpoint into the weakest link.

Infection chain starts with fake ScreenConnect update

The attack begins with a fake update for ScreenConnect. Once executed, it deploys a Rust-based loader followed by a .NET loader.

CloudZ RAT installs itself on the system and creates a scheduled task to maintain persistence. From there, it enables file manipulation, command execution, screen recording, browser data theft, and full remote control.

Advanced evasion techniques make detection harder

CloudZ includes anti-analysis checks targeting tools like Wireshark, Fiddler, Procmon, and Sysmon. It also detects sandbox and virtual machine environments to avoid automated analysis.

The malware rotates user-agent strings to appear like normal browsers and uses anti-caching techniques for command-and-control traffic.

Security implications expand beyond mobile compromise

This campaign shows how legitimate system apps can expand the attack surface. Attackers no longer need to breach a smartphone to access sensitive data.

Avoid SMS-based OTPs when possible. Use authenticator apps without notification previews and switch to phishing-resistant methods such as hardware security keys. Monitor indicators of compromise published by Cisco Talos, including domains, hashes, and IP addresses.

Other security developments

In separate incidents, NVIDIA GeForce NOW experienced a partner-related breach, though the main platform remained unaffected. Microsoft also confirmed that its April 2026 update can trigger backup issues due to kernel driver blocking.

Meanwhile, reports of the Cerdigent threat continue to spread, but many detections appear to be false positives linked to revoked certificates rather than active infections.

Via Bleeping Computer