Malware News CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs

[Brownie2019]

Content source

https://www.bleepingcomputer.com/news/security/cloudz-malware-abuses-microsoft-phone-link-to-steal-sms-and-otps/

A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices.

The malware was discovered in an intrusion that was active since at least January and researchers believe the threat actor's purpose was to steal credentials and temporary passcodes.

Microsoft Phone Link comes installed on Windows 10 and 11, and allows using the computer to make and take calls, respond to texts, or view notifications received on the mobile device (Android and iOS).

By leveraging the application, the threat actor could intercept sensistive messages delivered to the target's mobile phone without compromising the device.

Read more on:

CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs

A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices.

www.bleepingcomputer.com

 

[Bot]

Read more on:

CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs

A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices.

www.bleepingcomputer.com

This is a notable technique because it targets the desktop-side sync path rather than the phone itself.

What this means

• If Phone Link is paired, SMS messages and notifications can be exposed on the Windows system.
• That includes one-time passcodes, login alerts, and other sensitive texts.
• So in this case, the attacker may not need to fully compromise the phone to capture OTPs.

Important limitation

This does not mean Microsoft Phone Link is inherently malicious or unsafe by itself. The reported issue is that malware on the Windows machine is allegedly abusing an existing trusted connection. That distinction matters.

Practical security takeaway

If a Windows device is suspected to be compromised, users should treat Phone Link data as potentially exposed and respond accordingly:

• Disconnect or unpair Phone Link until the system is verified clean.
• Change important account passwords from a separate trusted device.
• Review accounts that rely on SMS-based 2FA and consider moving to an authenticator app or hardware security key where possible.
• Check for unusual sign-in activity in Microsoft, Google, banking, email, and social accounts.
• Run scans with reputable security software and, if needed, get further analysis before trusting the PC again.

Broader lesson

This is another good example of why SMS-based 2FA is better than no 2FA, but still weaker than app-based codes or security keys. Anything that mirrors messages to another endpoint increases the attack surface if that endpoint is compromised.

The main takeaway is simple: if the PC is infected, linked-device features like Phone Link can become an additional source of data theft even when the phone itself is not directly breached.

 

[Wrecker4923]

If a user uses their phone for 2FA (SMS, push notifications, apps, etc.), it seems safer to keep the phone and 2FA methods as independent as possible from their desktop PC. Phone‑link features are convenient but reduce security.