CloudZ RAT Hijacks Phone Link to Steal SMS OTPs via Pheno Plugin

May 6, 2026 at 08:00 AM

•

1 min read

CloudZ RAT Hijacks Phone Link to Steal SMS OTPs via Pheno Plugin — Photo: BleepingComputer

TL;DR Summary

A new CloudZ RAT variant, equipped with a Pheno plugin, monitors active Microsoft Phone Link sessions and accesses the local Phone Link SQLite database to harvest SMS messages and one-time passwords, enabling credential theft without compromising the mobile device. Infections begin with a fake ScreenConnect updater that drops a Rust loader, followed by a .NET loader to install the RAT and establish persistence, with anti-analysis checks to evade sandboxes. Defenders are advised to avoid SMS-based OTPs in favor of non-push authenticators or hardware keys; Cisco Talos has published IO and indicators of compromise.

Topics:technology #cloudz #malware #otp #pheno-plugin #phone-link #security

Share this article

CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs BleepingComputer
CloudZ RAT potentially steals OTP messages using Pheno plugin Cisco Talos Blog
Trojan abuses Microsoft Phone Link app to steal your passwords ZDNET
CloudZ malware targets Microsoft Phone Link to steal phone data NewsBytes
Stealthy malware abuses Microsoft Phone Link to siphon SMS OTPs from enterprise PCs csoonline.com

Reading Insights

Total Reads

Unique Readers

Time Saved

4 min

vs 5 min read

Condensed

89%

837 → 93 words

Want the full story? Read the original article

Read on BleepingComputer

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights