Security researchers at Cisco Talos have discovered an intrusion campaign active since at least January 2026, using a previously undocumented remote access tool (RAT), dubbed ‘CloudZ RAT,’ and a custom plugin named Pheno plugin. The operation appears designed to harvest user credentials and intercept one-time passwords (OTPs).
According to Talos, the attackers leveraged the legitimate Microsoft Phone Link application (formerly known as “Your Phone”) to access sensitive mobile data without infecting the victim’s smartphone. Phone Link, built into Windows 10 and 11, synchronizes SMS messages, notifications, and call logs from mobile devices to a PC, storing the data locally in SQLite database files.
The Pheno plugin scans for active Phone Link processes such as “YourPhone” or “PhoneExperienceHost.” Once detected, Pheno confirms whether the PC-to-phone connection is actively routing traffic by searching for indicators like “proxy” within generated logs. If confirmed, the malware can access Phone Link’s database files, potentially exposing SMS-based OTPs and authentication notifications.
The researchers were not able to determine the initial access vector, but they say that the next step is the execution of a trojanized ScreenConnect update, which acts as a dropper. It deploys a Rust-based loader disguised under filenames such as “systemupdates.exe,” which decrypts and installs a .NET-based loader hidden as text files like “update.txt” in directories mimicking legitimate system paths.
Persistence is achieved via a PowerShell script that creates a scheduled task named “SystemWindowsApis” under the Windows task scheduler, configured to run with SYSTEM-level privileges at startup. The loader implements evasion techniques, such as timing-based checks to detect sandbox environments, process enumeration to avoid tools like Wireshark, Fiddler, Procmon, and Sysmon, and validation of system characteristics to evade virtual machines.
CloudZ decrypts its configuration, establishes an encrypted connection to a command-and-control (C&C) server, and enters a command dispatcher mode. It allows attackers to exfiltrate browser-stored credentials and deploy additional plugins like Pheno for targeted reconnaissance.
“After checking Phone Link processes and writing its results, Pheno executes a secondary check that reads back the contents of previously written files and searches the keyword "proxy" in a case-insensitive manner,” the researchers say. “The plugin conducts this check because the Microsoft Phone Link application creates a local proxy connection to relay traffic between the PC and the paired mobile device.
“The presence of "proxy" in the output files, whether generated by a previous execution of the pheno plugin, indicates that the Phone Link session is actively routing traffic through its relay channel,” the report continues. “When the keyword is detected, the pheno plugin writes "Maybe connected" to its output file in the staging folders, which eventually allows the attacker, with the help of CloudZ RAT, to potentially monitor SMS or OTP requests that appear on the Phone Link application.”