- A new CloudZ plugin, phenohijacks Microsoft Phone Link to steal SMS and OTP from connected Android devices
- This allows attackers to bypass 2FA without compromising the phone.
- RAT retains all remote access capabilities, and researchers urge abandoning SMS-based authentication
Experts have revealed that a new version of the CloudZ Remote Access Trojan (RAT) for Windows now comes with a new add-on that steals data from a connected Android device.
Cisco Talos security researchers recently detected the improved variant while investigating a breach that has been ongoing since January 2026.
The Windows 10 and 11 operating systems have a feature called Microsoft Phone Link, which allows users to connect their Android and iOS mobile devices to their computers. They can then use their computers to take and make calls, text people, and more, without needing to pick up their smartphone.
Article continues below.
Steal 2FA and OTP
While it’s definitely a useful feature for replying to those WhatsApp and Telegram group messages, it’s even more useful when you need the device for two-factor authentication (2FA). However, this is precisely why CloudZ was introduced with a new plugin called Pheno.
Which brings us to today.
By hijacking the connection, threat actors can easily leak not only the credentials, but also the temporary passwords that are sent to the mobile device, without needing to compromise the phone.
Pheno works by monitoring active Phone Link sessions and accessing the local SQLite database containing SMS and one-time passwords (OTP).
“With confirmed Phone Link activity on the victim machine, the attacker using the CloudZ RAT can potentially intercept the SQLite database file of the Phone Link application on the victim machine, potentially compromising SMS-based OTP messages and other notification messages from the authenticating application,” Cisco Talos said.
Other than that, CloudZ comes with all the usual RAT capabilities, such as manipulating files, executing shell commands, recording screen, and more. It attempts to disguise its activity by rotating between three encoded user agent strings, making HTTP traffic appear as legitimate browser requests.
Cisco Talos could not determine how CloudZ infected victims, but warned that users should avoid SMS-based OTP services and instead use authenticator applications that do not require interceptable push notifications.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
