A newly discovered malware campaign is exploiting one of Windows’ most convenient cross-device features — Phone Link — as a covert channel to harvest one-time passwords (OTPs) and SMS messages from users’ smartphones, all from the Windows PC itself. The threat, detailed by Cisco Talos researchers Alex Karkins and Chetan Raghuprasad in a report published on May 5, 2026, centers on a modular remote access trojan (RAT) called CloudZ and a bespoke, previously undocumented plugin named Pheno.

⚠ Active Threat

This campaign has been confirmed active since at least January 2026. Attackers target Windows 10 and 11 systems with Phone Link enabled and paired to an Android or iOS device. No patch from Microsoft is currently required — the attack abuses a legitimate feature by design.

What Is Phone Link — And Why Does It Matter?

Microsoft Phone Link, formerly marketed as “Your Phone,” ships as a built-in application in Windows 10 and 11. It creates a wireless bridge between the PC and a paired smartphone over Wi-Fi or Bluetooth, mirroring SMS messages, call logs, and app notifications directly onto the desktop. Critically, synchronized data — including SMS messages — is written to local SQLite database files on the PC, including one named PhoneExperiences-*.db.

This local storage architecture, designed for seamless productivity, inadvertently creates a rich target: an attacker who controls the Windows endpoint can access mobile content from the desktop without ever compromising or even touching the phone itself.

With confirmed Phone Link activity on the victim’s machine, the attacker can potentially intercept the application’s SQLite database file, compromising SMS-based OTP messages and authenticator app notification messages.

— Cisco Talos, May 5, 2026

The Attack Chain: How CloudZ Infiltrates a System

The initial access vector remains unconfirmed by researchers, but once inside a victim’s environment, the intrusion follows a carefully staged sequence designed to evade detection at every step.

▸ Infection Sequence — CloudZ / Pheno Campaign
01
Fake ScreenConnect Update Executed The victim runs a malicious executable disguised as a legitimate update for the ScreenConnect remote support tool. The initial delivery method (phishing, supply-chain, etc.) remains unknown.
02
Rust-Compiled Loader Drops .NET Loader A Rust-compiled loader (e.g., systemupdates.exe) drops a .NET loader onto disk, disguised as a plain text file named update.txt or msupdate.txt.
03
Persistence via regasm.exe and Task Scheduler A built-in PowerShell script registers the .NET loader as a scheduled startup task, abusing the legitimate Windows binary regasm.exe (a LOLBin) to load it automatically on every boot under the SYSTEM account.
04
Anti-Analysis Checks Performed CloudZ queries environment variables and Windows APIs to detect debuggers, .NET profilers, and sandbox or virtual machine environments. If analysis tools are found, execution halts.
05
CloudZ RAT Executed In-Memory The malware decrypts and reassembles internally split strings to execute CloudZ — a ConfuserEx-obfuscated .NET executable compiled January 13, 2026 — entirely in system memory, leaving no file artifact on disk.
06
C2 Server Connection Established CloudZ downloads IP address and port configuration from an external service and connects to an attacker-controlled command-and-control (C2) server. HTTP traffic is disguised by rotating between three hardcoded legitimate browser user-agent strings.
07
Pheno Plugin Downloaded and Integrated Following C2 instructions, CloudZ downloads and loads the Pheno plugin. Pheno begins scanning running processes for keywords including YourPhone, PhoneExperienceHost, and Link to Windows.
08
Phone Link Session Detected and Flagged If an active Phone Link session is confirmed, Pheno marks the system as “Maybe connected” and signals the C2 operator, potentially enabling follow-on data collection from the local SQLite database.

The Pheno Plugin: A New Approach to MFA Bypass

Pheno is the campaign’s most novel component. The plugin continuously monitors Windows processes for any sign of an active Phone Link session. It does not directly extract data autonomously — rather, it confirms whether the Phone Link bridge is live and reports this status back to the attacker via the C2 server, enabling the operator to decide whether to proceed with data collection.

Researchers confirmed that the local SQLite database maintained by Phone Link can contain synchronized SMS messages and OTP codes. Whether the attackers in this specific intrusion actually extracted this data remains unconfirmed — but the infrastructure is designed precisely to enable it.

This plugin is a new approach to MFA bypass — by owning the communication channels that exist between your phone and your computer, the attacker doesn’t need to touch the phone at all.

— Nick Biasini, Head of Outreach, Cisco Talos

CloudZ’s Broader Capabilities

Beyond the Phone Link attack surface, CloudZ is a fully featured RAT with a wide range of capabilities. Cisco Talos documented the following functions in addition to the Pheno integration:

CloudZ RAT Documented Capabilities
  • Browser credential harvesting (cached usernames and passwords)
  • Host profiling (system info, running processes, network config)
  • File management: upload, download, delete, and write operations
  • In-memory execution to evade endpoint detection tools
  • Rotating browser user-agent strings to blend HTTP traffic
  • Modular plugin architecture — new capabilities can be added remotely
  • Scheduled task persistence via the SYSTEM account

The modular architecture is particularly notable. Cisco Talos warned that the Pheno plugin could be readily adapted to target other mobile-to-desktop syncing tools, including Dell Mobile Connect or Apple’s iMessage integration on macOS, using the same conceptual approach.

Who Is Behind the Attack?

The identity of the threat actor remains unknown. Cisco Talos has not attributed the campaign to a specific group or nation-state at this time. The intrusion was tracked under the identifier UAT-8302 in some reporting contexts, though this designation overlaps with separate Talos research. The attacker’s motive, assessed from the tooling, appears focused on credential theft and the bypass of two-factor authentication — particularly SMS-based OTP mechanisms widely used by enterprises.

The Broader Implication: Trusted Features as Attack Surfaces

What makes this campaign significant is not a vulnerability in Phone Link — Microsoft has not issued any advisory or patch, because no software flaw is being exploited. Instead, the attack abuses the feature precisely as designed: Phone Link stores mobile data locally on the PC. Any process with sufficient privileges on that PC can access that data.

This reframes how security teams must think about cross-device productivity tools. Features that bridge organizational boundaries — phone-to-PC sync, cloud clipboard, unified notification systems — all create data pathways that, if an endpoint is compromised, can be turned against the user. The attack does not require the attacker to bypass mobile security at all.

🔒 Recommended Mitigations

Security teams should consider auditing Phone Link usage across enterprise endpoints, enforcing application control policies against unsanctioned ScreenConnect updates, monitoring Task Scheduler for suspicious entries, and reviewing regasm.exe usage via EDR telemetry. Where SMS-based OTP is used for high-value accounts, consider migrating to hardware tokens or authenticator apps that do not sync through desktop software.

Source and Disclosure

This campaign was disclosed in a report published by Cisco Talos on May 5, 2026. The research was authored by Alex Karkins and Chetan Raghuprasad. Cisco Talos has made indicators of compromise (IOCs) available in their full technical report for defenders to use in threat hunting and detection rule development.