CloudZ RAT Harvests OTPs via Microsoft Phone Link Bridge (Potential Credential Theft)
What Happened — Cisco Talos uncovered an active intrusion (since Jan 2026) where attackers deployed the CloudZ remote‑access tool together with a custom “Pheno” plugin. The plugin abuses Microsoft’s Phone Link (formerly Your Phone) to read the app’s SQLite database on the Windows PC and capture SMS‑based one‑time passwords (OTPs) and other mobile notifications.
Why It Matters for TPRM —
- Demonstrates a novel vector for credential theft that bypasses mobile device defenses.
- Highlights risk for any organization that enables PC‑to‑phone synchronization on Windows 10/11 endpoints.
- Shows how seemingly benign remote‑support utilities (e.g., fake ScreenConnect updates) can introduce sophisticated RATs.
Who Is Affected — Enterprises using Windows 10/11 with Phone Link enabled, vendors of remote‑support tools, and any third‑party that relies on OTP‑based authentication.
Recommended Actions —
- Review and restrict use of Microsoft Phone Link on corporate devices.
- Enforce strict validation of remote‑support software updates (e.g., ScreenConnect).
- Deploy endpoint detection that monitors anomalous memory‑only processes and SQLite file access.
Technical Notes — The intrusion begins with an unknown initial vector, likely a malicious ScreenConnect update executable, which drops a .NET loader that installs the modular CloudZ RAT. Pheno monitors active Phone Link sessions, reads the “PhoneExperiences‑.db” SQLite file, and exfiltrates OTP messages. The RAT runs its payload in memory and includes anti‑debug/sandbox checks. Source: Cisco Talos Blog*