- A new CloudZ plugin, Phenohijacks Microsoft Phone Link to steal SMS and OTPs from connected Android devices
- This allows attackers to bypass 2FA without compromising the phone itself
- RAT retains full remote access, with researchers calling for a shift away from SMS-based authentication
A new version of the CloudZ remote access trojan (RAT) for Windows now comes with a new plugin that steals data from a connected Android device, experts have revealed.
Security researchers Cisco Talos recently discovered the upgraded variant while investigating a breach that has been ongoing since January 2026.
Windows 10 and 11 operating systems have a feature called Microsoft Phone Link that allows users to connect their Android and iOS mobile devices to their computers. They can then use their computers to make and make calls, text people and more without having to pick up the smartphone.
The article continues below
Stealing 2FA and OTPs
While it’s certainly a handy feature for replying to those group WhatsApp and Telegram messages, it’s even more handy when the device is needed for two-factor authentication (2FA). However, this is exactly why CloudZ was introduced with a new plugin called Pheno.
Which brings us to today.
By hijacking the connection, the threat actors can easily wipe out not just credentials, but also temporary passwords sent to the mobile device – without having to compromise the phone.
Pheno works by monitoring for active Phone Link sessions and accessing the local SQLite database containing SMS and one-time passwords (OTP).
“With confirmed Phone Link activity on the victim’s machine, the attacker using the CloudZ RAT could potentially intercept the Phone Link application’s SQLite database file on the victim’s machine, potentially compromising SMS-based OTP messages and other authentication application messages,” Cisco Talos said.
Apart from that, CloudZ comes with all the usual RAT features such as manipulating files, executing shell commands, recording the screen and more. It tries to hide its activity by rotating between three hard-coded user agent strings, making HTTP traffic appear as legitimate browser requests.
Cisco Talos was unable to determine how victims were infected by CloudZ, but warned that users should avoid SMS-based OTP services and instead use authentication apps that do not require intercepted push messages.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
