CloudZ RAT Abuses Microsoft Phone Link to Steal SMS & OTPs

Security researchers have uncovered a new variant of the CloudZ remote‑access trojan (RAT) that delivers a previously undocumented plugin named Pheno. This plugin exploits the Microsoft Phone Link feature built into Windows 10/11 to establish a Bluetooth or Wi‑Fi Direct link between the victim’s PC and an Android handset. Once the link is active, Pheno silently hijacks the Phone Link API to read incoming SMS messages, intercept one‑time passwords (OTPs), and forward the data to a command‑and‑control (C2) server operated by the threat actors.

Pheno is deployed as a malicious DLL that is injected into the legitimate PhoneLink.exe process, often via a scheduled task named "PhoneLinkUpdater". The injection grants the plugin the same privileges as the native service, allowing it to disable user notifications and hide the intercepted messages from the device’s UI. The RAT communicates with its C2 over HTTPS, exfiltrating the stolen OTPs in real time. In addition to SMS, the malware can also harvest call logs, contacts, and approximate GPS location, expanding its espionage capabilities.

Detection is challenging because the activity blends with normal Phone Link traffic. Key indicators of compromise (IOCs) include a new scheduled task "PhoneLinkUpdater", a DLL file with a specific SHA‑256 hash (provided in the research report), and anomalous outbound HTTPS connections to a known CloudZ C2 IP address. Security teams should monitor for unexpected child processes under PhoneLink.exe, registry modifications that add unverified Phone Link extensions, and unusual SMS‑sync traffic patterns. Mitigations include disabling SMS sync in Phone Link settings, restricting Bluetooth pairing to trusted devices, and employing mobile‑endpoint solutions that audit app permissions.

By capturing SMS‑based OTPs, the CloudZ Pheno plugin can bypass two‑factor authentication on banking, email, and corporate VPN accounts, enabling financial fraud, unauthorized access, and lateral movement within enterprise networks. Organizations are advised to audit Windows features, remove unnecessary sync services, and adopt more resilient MFA methods—such as hardware tokens or authenticator apps—that do not rely on SMS. Prompt patching, network segmentation, and user awareness training further reduce the risk posed by this emerging threat.