Secret malware exploits Microsoft Phone Link to extract SMS OTPs from business PCs
A newly identified malware campaign exploits Microsoft’s Phone Link feature to capture SMS-based one-time passwords and other sensitive mobile data directly from Windows applications.
The exploit, which was first spotted by Cisco Talos in January 2026, involves a remote access trojan called CloudZ and a custom plugin called Pheno together that allows attackers to harvest credentials and capture authentication codes synced to a user’s smartphone, Talos researchers Alex Karkins and Chetan Raghuprasad wrote in a blog post.
“According to the CloudZ RAT and Pheno plugin functionality, this was intended to steal victims’ credentials and possible one-time passwords (OTPs),” the researchers wrote.
The attack does not target the mobile device itself. Instead, it uses a trust relationship between phones and Windows PCs by monitoring data displayed through the Phone Link app, the blog post said.
CloudZ “uses a custom Pheno plugin to hijack a fixed PC-to-phone bridge by exploiting the Microsoft Phone Link system, allowing the plugin to continue scanning active Phone Link processes and be able to receive sensitive mobile data such as SMS and OTPs without installing malware on the phone,” the Talos report said.
This process eliminates the need to compromise the mobile device itself, which researchers say makes the intervention more noticeable to corporate defenders.
It adds to the growing body of commercial attackers aiming to bypass SMS- and app-based MFA by extracting authentication codes from compromised Windows systems where mobile data is synced.
Microsoft did not immediately respond to a request for comment.
Phone Link Data becomes an attack surface
Microsoft Phone Link, formerly known as Your Phone, is a built-in Windows feature that connects a PC to a smartphone and displays messages, notifications, and calls on the desktop.
Pheno is designed to access Phone Link data stored locally on a Windows system. According to the advisory, an attacker using CloudZ “could access Phone Link’s SQLite database on the victim’s machine, potentially compromising SMS-based OTP messages and other authentication notification messages.”
Because this data resides at the end, this process shifts the risk from mobile devices to enterprise-managed Windows systems, potentially bypassing controls focused on detecting smartphones.
A multi-stage infection chain
The entry begins with an initial unknown vector, followed by the release of a malicious file disguised as a ScreenConnect update, Talos said.
The first payload is a Rust-compiled loader that uses filenames like “systemupdates.exe,” which drops a .NET loader disguised as a text file into a system directory, the post said.
Persistence is established by a program called “SystemWindowsApis” that starts initially with elevated privileges using the official regasm.exe utility, the researchers wrote in a blog.
The .NET loader uses conflict checks and analysis before downloading CloudZ. It performs multiple checks to detect security tools and sandbox environments before executing a memory payload, the report said.
It “calculates the actual elapsed time of the sleep command to determine if it is being used in the analysis environment,” and scans tools such as Wireshark, Fiddler, Procmon, and Sysmon. “The .NET loader exits execution if these are found in the victim’s environment,” the blog post added.
The CloudZ download is then cleared from memory and executed, it says.
RAT enables credential theft and plugin delivery
CloudZ establishes an encrypted connection to the command and control server and supports a range of operations, including authentication harvesting, file operations, and remote command execution, Talos said.
The malware also retrieves secondary configuration data from infrastructure controlled by the attacker.
The Talos researchers wrote that the RAT downloads configuration data from remote servers and “extracts the C2 server’s IP address … and port number … establishing communication over TCP sockets.”
It also circumvents user-agent strings to associate its traffic with legitimate browser activity, the researchers noted.
The Pheno plugin monitors active device synchronization
The Pheno plugin is responsible for identifying active phone link sessions and enabling data termination.
“It scans all running processes for specific keywords such as ‘YourPhone,’ ‘PhoneExperienceHost,’ or ‘Connect to Windows,'” and writes the results to the environment, the report says.
The plugin then checks the credentials of the proxy connection used by Phone Link to transfer data between devices.
“The presence of a ‘proxy’ … indicates that the Phone Link channel is routing traffic through its relay channel,” the researchers wrote.
If such activity is detected, the plugin flags the system as connected, “allowing an attacker at the end … to be able to monitor SMS or OTP requests from the Phone Link application,” according to the report.
Talos released detection signatures and indicators of compromise, including malware hashes, monitoring and control infrastructure, and Snort rules related to the operation.
Cisco Talos didn’t say this job to a known dangerous actor.
