{"id":16172,"date":"2026-05-05T11:06:11","date_gmt":"2026-05-05T11:06:11","guid":{"rendered":"https:\/\/newestek.com\/?p=16172"},"modified":"2026-05-05T11:06:11","modified_gmt":"2026-05-05T11:06:11","slug":"stealthy-malware-abuses-microsoft-phone-link-to-siphon-sms-otps-from-enterprise-pcs","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16172","title":{"rendered":"Stealthy malware abuses Microsoft Phone Link to siphon SMS OTPs from enterprise PCs"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>A newly identified malware campaign is abusing Microsoft\u2019s Phone Link feature to intercept SMS-based one-time passwords and other sensitive mobile data directly from Windows systems.<\/p>\n<p>The activity, first observed by Cisco Talos in January 2026, involves a remote access trojan dubbed CloudZ and a custom plugin named Pheno that together allow attackers to harvest credentials and potentially capture authentication codes synced from a user\u2019s smartphone, Talos researchers Alex Karkins and Chetan Raghuprasad wrote in a blog post.<\/p>\n<p>\u201cAccording to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims\u2019 credentials and potentially one-time passwords (OTPs),\u201d the researchers wrote.<\/p>\n<p>The attack does not target the mobile device itself. Instead, it exploits the trust relationship between phones and Windows PCs by monitoring data mirrored through the Phone Link application, the blog post said.<\/p>\n<p>CloudZ \u201cutilizes the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application, allowing the plugin to continuously scan for active Phone Link processes and potentially intercept sensitive mobile data like SMS and OTPs without deploying malware on the phone,\u201d the Talos report said.<\/p>\n<p>The technique sidesteps the need to compromise the mobile device itself, which the researchers said makes the intrusion notable to enterprise defenders.<\/p>\n<p>It adds to a growing body of attacker tradecraft aimed at <a href=\"https:\/\/www.csoonline.com\/article\/4147134\/your-mfa-isnt-broken-its-being-bypassed-and-your-employees-cant-tell-the-difference.html\">bypassing<\/a> SMS- and app-based MFA by extracting authentication codes from compromised Windows systems where mobile data is synced.<\/p>\n<p>Microsoft did not immediately respond to a request for comment.<\/p>\n<h2 class=\"wp-block-heading\" id=\"phone-link-data-becomes-an-attack-surface\">Phone Link data becomes an attack surface<\/h2>\n<p>Microsoft Phone Link, previously known as Your Phone, is a built-in Windows feature that connects a PC to a smartphone and mirrors messages, notifications, and calls on the desktop.<\/p>\n<p>Pheno is designed to locate the Phone Link data stored locally on the Windows system. According to the advisory, the attacker using CloudZ \u201ccan potentially intercept the Phone Link application\u2019s SQLite database file on the victim machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages.\u201d<\/p>\n<p>Because this data resides on the endpoint, the technique shifts risk from mobile devices to enterprise-managed Windows systems, potentially bypassing controls focused on securing smartphones.<\/p>\n<h2 class=\"wp-block-heading\" id=\"multi-stage-infection-chain\">Multi-stage infection chain<\/h2>\n<p>The intrusion begins with an unknown initial access vector, followed by the execution of a malicious file disguised as a ScreenConnect update, Talos said.<\/p>\n<p>The initial payload is a Rust-compiled loader using filenames such as \u201csystemupdates.exe,\u201d which drops a .NET loader disguised as a text file in a system directory, the post said.<\/p>\n<p>Persistence is established through a scheduled task named \u201cSystemWindowsApis\u201d that runs at startup with elevated privileges using the legitimate regasm.exe utility, the researchers wrote in the blog.<\/p>\n<p>The .NET loader runs anti-analysis checks before unpacking CloudZ. It performs multiple checks to detect security tools and sandbox environments before executing the payload in memory, the report said.<\/p>\n<p>It \u201ccalculates the actual elapsed time of a sleep command to detect if it is executed in the analysis environment,\u201d and scans for tools such as Wireshark, Fiddler, Procmon, and Sysmon. \u201cThe .NET loader exits the execution if these are detected in the victim environment,\u201d the blog post added.<\/p>\n<p>The CloudZ payload is then decrypted in memory and executed, it said.<\/p>\n<h2 class=\"wp-block-heading\" id=\"rat-enables-credential-theft-and-plugin-delivery\">RAT enables credential theft and plugin delivery<\/h2>\n<p>CloudZ establishes an encrypted connection to a command-and-control server and supports a range of functions, including credential harvesting, file operations, and remote command execution, Talos said.<\/p>\n<p>The malware also retrieves secondary configuration data from attacker-controlled infrastructure.<\/p>\n<p>The Talos researchers wrote that the RAT downloads configuration data from remote servers and \u201cextracts the C2 server IP address \u2026 and port number \u2026 establishing connections through TCP sockets.\u201d<\/p>\n<p>It also rotates user-agent strings to blend its traffic with legitimate browser activity, the researchers noted.<\/p>\n<h2 class=\"wp-block-heading\" id=\"pheno-plugin-monitors-active-device-sync\">Pheno plugin monitors active device sync<\/h2>\n<p>The Pheno plugin is responsible for identifying active Phone Link sessions and enabling data interception.<\/p>\n<p>It \u201cscans all running processes for specific keywords such as \u2018YourPhone,\u2019 \u2018PhoneExperienceHost,\u2019 or \u2018Link to Windows,\u2019\u201d and logs results locally, the report said.<\/p>\n<p>The plugin then checks for evidence of a proxy connection used by Phone Link to relay data between devices.<\/p>\n<p>\u201cThe presence of \u2018proxy\u2019 \u2026 indicates that the Phone Link session is actively routing traffic through its relay channel,\u201d the researchers wrote.<\/p>\n<p>When such activity is detected, the plugin flags the system as connected, which \u201ceventually allows the attacker \u2026 to potentially monitor SMS or OTP requests that appear on the Phone Link application,\u201d according to the report.<\/p>\n<p>Talos has released detection signatures and indicators of compromise, including malware hashes, command-and-control infrastructure, and Snort rules associated with the activity.<\/p>\n<p>Cisco Talos did not attribute the activity to a known threat actor.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A newly identified malware campaign is abusing Microsoft\u2019s Phone Link feature to intercept SMS-based one-time passwords and other sensitive mobile data directly from Windows systems. The activity, first observed by Cisco Talos in January 2026, involves a remote access trojan dubbed CloudZ and a custom plugin named Pheno that together allow attackers to harvest credentials and potentially capture authentication codes synced from a user\u2019s smartphone,&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=16172\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16172","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16172"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16172\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}