Experts warn Microsoft Phone Link tool exploited by 'unknown threat' to steal SMS and OTP info

News
By published

A known RAT was given new capabilities

A phone held in front of a laptop displaying two-factor authentication
(Image credit: Getty Images)
  • A new CloudZ plugin, Pheno, hijacks Microsoft Phone Link to steal SMS and OTPs from connected Android devices
  • This enables attackers to bypass 2FA without compromising the phone itself
  • The RAT retains full remote access capabilities, with researchers urging a shift away from SMS‑based authentication

A new version of the CloudZ remote access trojan (RAT) for Windows now comes with a new plugin that steals data from a connected Android device, experts have revealed.

Security researchers Cisco Talos recently spotted the upgraded variant while investigating a breach that has been ongoing since January 2026.

Windows 10 and 11 operating systems have a feature called Microsoft Phone Link, which allows users to connect their Android and iOS mobile devices to their computers. They can then use their computers to take and make calls, text people, and more, without needing to pick up the smartphone.

Article continues below

Stealing 2FA and OTPs

While it’s definitely a handy feature to answer those group WhatsApp and Telegram messages, it is even more handy when the device is needed for two-factor authentication (2FA). However, this is precisely why CloudZ was introduced with a new plugin called Pheno.

Which brings us to today.

By hijacking the connection, the threat actors can easily exfiltrate not just credentials, but also temporary passwords that get sent to the mobile device - without needing to compromise the phone.

Pheno works by monitoring for active Phone Link sessions and accessing the local SQLite database that contains SMS and one-time passwords (OTP).

“With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” Cisco Talos said.

Other than that, CloudZ comes with all the usual RAT capabilities, such as tampering with files, executing shell commands, recording the screen, and more. It tries to hide its activity by rotating between three hardcoded user-agent strings, making HTTP traffic appear as legitimate browser requests.

Cisco Talos was not able to determine how the victims got infected by CloudZ but warned that users should avoid SMS-based OTP services and should instead use authenticator apps that don’t require interceptable push notifications.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.