Attackers have found a way to intercept SMS-based one-time passwords from a victim’s mobile device without deploying a single line of malware on the phone itself. Instead, they go through the Windows PC the phone is already connected to.
Researchers documented an active intrusion campaign active since at least January 2026, that combines a remote access trojan called “CloudZ” with a previously undocumented plugin named “Pheno.” Together the two tools are designed to steal credentials and harvest authentication codes that arrive on a victim’s phone by abusing Microsoft Phone Link, a legitimate Windows application built into every Windows 10 and 11 system.
Microsoft Phone Link, formerly “Your Phone,” is a synchronization tool that bridges a user’s Android or iOS device to their Windows PC, mirroring calls, messages, and app notifications directly onto the desktop.
Pheno exploits that bridge. It continuously scans running processes for keywords including “YourPhone,” “PhoneExperienceHost,” and “Link to Windows” to detect an active phone connection. When one is found, the plugin writes “Maybe connected” to a local staging file and gains access to the Phone Link application’s local SQLite database. It is a file that can contain SMS messages and authenticator app notification content, including OTP codes.
The attack never targets the mobile device directly. It targets the enterprise-managed Windows endpoint the device trusts, bypassing security controls focused on securing smartphones rather than the desktop layer they sync with.
Also read: Infostealers and Lack of MFA Led to Dozens of Major Breaches
CloudZ is a modular .NET RAT compiled on January 13, and obfuscated with ConfuserEx. Beyond loading Pheno, it supports credential harvesting from web browsers, file operations, remote command execution, and host profiling.
It establishes an encrypted TCP connection to its command-and-control server and rotates between three hardcoded user-agent strings to make its traffic blend with legitimate browser requests. To evade analysis, CloudZ detects .NET debuggers and profilers via environment variable queries and generates its executable functions dynamically in memory — meaning the most sensitive code never sits as a static binary on disk.
The infection chain begins with a fake ScreenConnect application update. ScreenConnect is a legitimate remote support tool commonly used in enterprise environments. Executing the fake update drops a Rust-compiled loader, which in turn deploys a .NET loader that installs CloudZ and establishes persistence via a scheduled task. The .NET loader performs thorough sandbox checks, scanning for analysis tools including Wireshark, Fiddler, Procmon, and Sysmon before proceeding.
Cisco Talos researchers did not attribute the campaign to a known threat actor. The initial access vector also remains unidentified.
