- A new CloudZ plugin, Pheno, hijacks Microsoft Phone Link to steal SMS and OTPs from connected Android devices
- This enables attackers to bypass 2FA without compromising the phone itself
- The RAT retains full remote access capabilities, with researchers urging a shift away from SMS‑based authentication
A new version of the CloudZ remote access trojan (RAT) for Windows now comes with a new plugin that steals data from a connected Android device, experts have revealed.
Security researchers Cisco Talos recently spotted the upgraded variant while investigating a breach that has been ongoing since January 2026.
Windows 10 and 11 operating systems have a feature called Microsoft Phone Link, which allows users to connect their Android and iOS mobile devices to their computers. They can then use their computers to take and make calls, text people, and more, without needing to pick up the smartphone.
Stealing 2FA and OTPs
While it’s definitely a handy feature to answer those group WhatsApp and Telegram messages, it is even more handy when the device is needed for two-factor authentication (2FA). However, this is precisely why CloudZ was introduced with a new plugin called Pheno.
Which brings us to today.
By hijacking the connection, the threat actors can easily exfiltrate not just credentials, but also temporary passwords that get sent to the mobile device - without needing to compromise the phone.
Pheno works by monitoring for active Phone Link sessions and accessing the local SQLite database that contains SMS and one-time passwords (OTP).
“With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” Cisco Talos said.
Other than that, CloudZ comes with all the usual RAT capabilities, such as tampering with files, executing shell commands, recording the screen, and more. It tries to hide its activity by rotating between three hardcoded user-agent strings, making HTTP traffic appear as legitimate browser requests.
Cisco Talos was not able to determine how the victims got infected by CloudZ but warned that users should avoid SMS-based OTP services and should instead use authenticator apps that don’t require interceptable push notifications.
Via BleepingComputer
