A Windows malware toolkit has been observed stealing SMS messages and one-time passwords (OTPs) from victim machines by hijacking Microsoft’s Phone Link application, sidestepping the need to directly compromise a target’s mobile device.
The activity has been ongoing since at least January 2026, according to new analysis from Cisco Talos researchers.
At the heart of the operation are a remote access tool (RAT) called CloudZ and a previously undocumented plugin named Pheno. The tools work together to harvest credentials and intercept authentication codes synced from a paired smartphone.
Phone Link as a Bridge to Mobile Data
Microsoft Phone Link, formerly known as Your Phone, is built into Windows 10 and 11 and mirrors smartphone notifications, SMS messages and call logs onto the desktop over Wi-Fi and Bluetooth.
Synchronized data is written to local SQLite database files on the PC, including one named PhoneExperiences-*.db. Cisco Talos said this design allowed attackers to capture mobile content from the endpoint without ever touching the phone.
The Pheno plugin continuously scans running processes for keywords associated with Phone Link, such as YourPhone, PhoneExperienceHost and Link to Windows.
When a match is found, it logs the process details to staging folders and then checks the output for the string “proxy”, which indicates the local relay used by an active Phone Link session.
If a live session is confirmed, Pheno tags the system as “Maybe connected”, flagging it for follow-on data collection by the operator.
Read more on SMS interception threats: New SMS Stealer Malware Targets Over 600 Global Brands
Memory-Resident Execution and Anti-Analysis
The observed infection chain began with the execution of a fake ScreenConnect update, the initial access vector for which remains unknown at the time of writing.
A Rust-compiled loader, using filenames such as systemupdates.exe, dropped a .NET loader disguised as a text file, which then deployed CloudZ via the legitimate regasm.exe binary. The latter was scheduled to run at system startup under the SYSTEM account.
CloudZ itself is a .NET executable obfuscated with ConfuserEx and compiled in mid-January 2026. Talos observed multiple anti-analysis layers, including timing-based sleep checks, enumeration of security tools such as Wireshark, Procmon and Sysmon and searches for virtual machine indicators in the system path and hostname.
The RAT pulls secondary configuration from attacker-controlled staging servers and Pastebin pages, rotates through three hardcoded user-agent strings to blend HTTP traffic with legitimate browser activity, and supports commands ranging from credential exfiltration to plugin loading and screen recording.
The technique shifts the risk surface for SMS-based multi-factor authentication (MFA) from the phone to the enterprise-managed Windows endpoint, undermining controls focused solely on mobile device security.
Cisco Talos has published indicators of compromise for the threat, along with ClamAV signatures, to help defenders detect and block the activity.
