Cybersecurity researchers said a CloudZ remote access tool intrusion active since at least January 2026 used a previously undocumented Pheno plugin to abuse Microsoft’s Phone Link feature on Windows 10 and Windows 11 and steal credentials, including one-time passwords.
KEY FACTS
- Targeted feature The attack focused on Phone Link, which connects Windows computers with Android phones or iPhones.
- Plugin use Pheno checked for active Phone Link processes and sought synchronized mobile data.
- Data sought The operation aimed at credentials, SMS content and one-time passwords.
- Initial access The intrusion began with a fake ConnectWise ScreenConnect executable that downloaded a .NET loader.
A technical analysis from Cisco Talos said the malware chain started with an undetermined access method, then dropped a counterfeit ConnectWise ScreenConnect file that launched a .NET loader. A PowerShell script set a scheduled task for persistence.
The loader ran checks on the hardware and environment before deploying the modular CloudZ trojan. Once active, CloudZ decrypted its configuration, connected to a command and control server over an encrypted socket and waited for Base64-encoded instructions.
The report said the plugin was used to inspect the Microsoft Phone Link application on the victim machine and write reconnaissance data to a staging folder. CloudZ then read the data back and sent it to the command and control server.
Phone Link is built into Windows 10 and Windows 11 and lets users pair a PC with a mobile device to make calls, send messages and dismiss notifications. The disclosed method shows how a legitimate syncing feature can be turned into a path for accessing phone data on a Windows system without compromising the phone itself.
WHY IT MATTERS
The findings show how cross-device features can be abused to reach SMS data and one-time passwords on a Windows computer, which can weaken account protections that rely on mobile verification. The intrusion has not been tied to a known threat actor or group.