Ddos 
Security researchers at Cisco Talos have uncovered a sophisticated campaign that allows attackers to steal SMS messages and one-time passwords (OTPs) without ever installing malware on a victim’s smartphone. Active since at least January 2026, the operation utilizes a powerful duo: the CloudZ Remote Access Tool (RAT) and a previously undocumented, highly specialized plugin named “Pheno”.
Rather than attacking the mobile device directly, the threat actors are exploiting a tool already trusted by millions: Microsoft Phone Link.
Microsoft Phone Link (formerly “Your Phone”) is designed to create a seamless bridge between a PC and a smartphone, mirroring notifications and messages to the desktop. Pheno turns this convenience into a vulnerability.
According to the Cisco Talos report, “CloudZ utilizes the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application, allowing the plugin to continuously scan for active Phone Link processes and potentially intercept sensitive mobile data like SMS and OTPs”.
By compromising the Windows environment where the Phone Link application is running, Pheno can monitor synchronized phone data—such as call logs and text messages—directly from the computer’s memory and local storage.
The attackers behind CloudZ and Pheno have gone to great lengths to remain undetected by traditional security software. The malware executes its most critical functions dynamically in system memory, ensuring it leaves a minimal footprint on the physical disk.
Furthermore, the tools are equipped with sophisticated anti-forensic capabilities:
- Debugger Evasion: The malware performs active checks to see if it is being analyzed by security researchers.
- Sandbox Detection: It can recognize and terminate execution if it detects a virtualized “sandbox” environment.
- Relay Monitoring: The Pheno plugin specifically looks for the keyword “proxy” in system outputs, which indicates that a Phone Link session is actively routing traffic through its relay channel.
The primary objective of this campaign appears to be credential theft and the bypass of security measures. By intercepting SMS-based one-time passwords (OTPs) via the PC-to-phone bridge, attackers can effectively neutralize Two-Factor Authentication (2FA).
When the Pheno plugin detects an active session, it reports a “Maybe connected” status to the attacker. This signal allows the operator, using the CloudZ RAT, to “potentially monitor SMS or OTP requests that appear on the Phone Link application.”
Cisco Talos researchers conclude, this method allows for the interception of sensitive data “without deploying malware on the phone.”
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
