# CloudZ Malware Deploys Pheno Plugin to Hijack Microsoft Phone Link and Steal SMS/OTP Codes


A sophisticated advancement in the CloudZ remote access trojan (RAT) ecosystem has emerged, introducing a previously undocumented malicious plugin named Pheno that leverages Microsoft Phone Link to intercept sensitive authentication codes directly from victims' mobile devices. This development represents a significant escalation in attack capabilities, combining well-established RAT functionality with novel methods to compromise multi-factor authentication (MFA) mechanisms.


## The Threat


Security researchers have identified a new variant of CloudZ that deploys the Pheno plugin as an integral component of its infection chain. The plugin specifically targets the Microsoft Phone Link application—a legitimate Windows feature that enables seamless integration between Windows 11 systems and Android devices—repurposing it as a backdoor for SMS and one-time password (OTP) theft.


Key threat characteristics:


  • MFA bypass capability: By stealing SMS-based codes and OTPs, the malware undermines one of the most common second-factor authentication methods
  • Cross-platform reach: The attack bridges Windows and Android ecosystems through a legitimate Microsoft application
  • Stealth implementation: The plugin operates through established system functionality, reducing detection likelihood
  • Credential harvesting: Stolen authentication codes enable attackers to bypass enterprise access controls

    • The discovery underscores a critical vulnerability in the security model of Phone Link: its deep integration with the Windows operating system creates an attack surface that traditional endpoint security may overlook.


    ## Background and Context


    CloudZ's evolution: CloudZ emerged as a commercial remote access tool in the underground economy, initially marketed as a legitimate remote desktop solution. Over time, the tool has been extensively repurposed by threat actors as a fully-featured RAT with capabilities including keylogging, screen capture, file exfiltration, and credential theft.


    Microsoft Phone Link's design: Phone Link allows Windows 11 users to mirror their Android device's screen, receive phone calls and text messages on their PC, and access photos and files. The integration requires significant permissions on both the Windows and Android sides, creating a bidirectional communication channel between devices. While this functionality is beneficial for productivity, it also represents a high-value target for attackers seeking to extract mobile-specific data.


    The plugin architecture: CloudZ's modular design permits operators to deploy specialized plugins tailored to specific operational objectives. Previous plugins have targeted banking applications, cryptocurrency wallets, and enterprise authentication systems. Pheno represents the first documented plugin specifically designed to weaponize Phone Link.


    ## Technical Details


    Attack sequence:


    1. Initial compromise: Systems become infected through common attack vectors including phishing emails, malicious downloads, or exploit kit delivery

    2. CloudZ installation: The RAT establishes persistence and communication with command-and-control (C2) infrastructure

    3. Pheno deployment: Operators push the Pheno plugin during post-exploitation phase

    4. Phone Link hijacking: The plugin intercepts data flowing through the Phone Link API, capturing inbound SMS messages and OTP codes in real-time


    Pheno's technical mechanics:


    | Function | Description |

    |----------|-------------|

    | API Hooking | Intercepts Windows Phone Link API calls to monitor data transfer |

    | Message Parsing | Identifies and extracts SMS content and OTP codes using regex patterns |

    | Encryption & Exfiltration | Forwards captured messages to attacker-controlled servers |

    | Stealth Operations | Operates without user-visible notifications or Phone Link UI changes |


    Detection evasion: The plugin leverages Phone Link's legitimate background processes, blending malicious activity with normal application behavior. Traditional antivirus solutions struggle to differentiate between legitimate Phone Link operations and the parasitic Pheno plugin.


    The intercepted data is encrypted and transmitted to attacker infrastructure, with minimal latency ensuring that OTP codes are captured before expiration.


    ## Implications for Organizations and Users


    Organizational risk:


    Organizations using Windows 11 with Phone Link enabled face critical risks:


  • Bypass of MFA controls: Even organizations implementing SMS-based two-factor authentication cannot guarantee that OTPs remain secret
  • Lateral movement: Stolen credentials enable attackers to escalate from compromised endpoints to critical infrastructure
  • Supply chain exposure: Contractors and remote workers using personal Android devices connected via Phone Link introduce additional attack surface
  • Compliance violations: Data theft through compromised MFA may trigger breach notification requirements under GDPR, HIPAA, and similar frameworks

    • Individual user impact:


  • Account takeovers: Compromised banking, email, and social media accounts
  • Identity theft: OTP codes enable fraudulent account creation in victims' names
  • Financial loss: Direct fraud through captured banking authentication codes

    • ## Recommendations


    Immediate mitigation steps:


    For IT Teams:

  • Disable Phone Link in environments where BYOD is not critical; use Group Policy or Intune to restrict the application
  • Monitor for CloudZ indicators: Deploy detection rules for CloudZ C2 communication patterns and registry modifications associated with RAT installation
  • Enforce passwordless authentication: Migrate away from SMS-based OTP to authenticator apps or hardware keys that cannot be intercepted via Phone Link
  • Segment networks: Isolate systems handling sensitive data from those connected to personal mobile devices
  • Audit Phone Link permissions: Review which users have active Phone Link connections and assess business necessity

    • For individual users:

  • Disconnect unused Phone Link sessions: Disable the feature if not actively needed
  • Use authenticator apps: Replace SMS OTP with time-based one-time passwords (TOTP) via Microsoft Authenticator, Google Authenticator, or Authy
  • Maintain updated security software: Ensure Windows Defender and third-party endpoint protection are current
  • Monitor authentication logs: Review login activity for accounts associated with your Microsoft and Google accounts

    • Broader strategic measures:


  • Transition to passwordless authentication: Organizations should prioritize Windows Hello, FIDO2 security keys, or biometric authentication that cannot be stolen via malware
  • Implement behavioral analysis: Deploy EDR (Endpoint Detection and Response) solutions that can identify anomalous API access patterns
  • Security awareness training: Educate employees about phishing campaigns that may deliver CloudZ payloads

    • ## Conclusion


    The Pheno plugin represents a tangible evolution in malware sophistication, demonstrating how attackers systematically identify and weaponize legitimate system features. The compromise of Microsoft Phone Link introduces a new vector for defeating MFA—arguably the most critical control preventing account takeover.


    Organizations cannot assume that SMS-based authentication provides meaningful security when Windows endpoints are compromised. The discovery of Pheno should accelerate enterprise migration to stronger authentication mechanisms and drive heightened awareness of the security implications inherent in deeply integrated platform features.


    As remote work and BYOD strategies remain prevalent, the intersection of legitimate mobile-desktop integration and malware capabilities will continue to present novel security challenges. Vigilance, rapid patching, and a shift toward modern authentication methods represent the most effective defense.