A new CloudZ RAT variant uses a stealthy plugin called Pheno to hijack Microsoft Phone Link on Windows 10 and 11, allowing attackers to intercept SMS messages and one-time passcodes synced from mobile devices. Active since at least January, the campaign focuses on stealing credentials and authentication codes. Read this Cybersecurity Threat Advisory to mitigate risk for you and your clients.
What is the threat?
This Windows-focused campaign uses the CloudZ remote access trojan (RAT) and a custom plugin (Pheno) to abuse Microsoft’s built-in Phone Link app. Rather than infecting a mobile device, the malware compromises the Windows endpoint, monitors Phone Link activity, and extracts SMS and notification data stored locally in SQLite databases (such as PhoneExperiences-.db).
This enables attackers to capture login credentials and SMS-based one-time passwords (OTPs), effectively bypassing MFA protections. From there, they can expand access, move laterally, and compromise additional accounts—all without directly interacting with the victim’s phone.
Why is it noteworthy?
This threat stands out for both its delivery method and its approach to MFA bypass. It arrives via a fake ScreenConnect update, using a Rust-based loader and a .NET component disguised as a text file. It then deploys CloudZ through the legitimate regasm.exe binary and persists under the SYSTEM account, blending into normal Windows activity.
CloudZ is heavily obfuscated and designed to evade analysis, actively checking for security tools and virtual environments. Its communications are masked using rotating browser-like user agents and attacker-controlled infrastructure, including staging servers and Pastebin.
By shifting the attack surface from mobile devices to Windows endpoints, this campaign exposes a critical weakness in SMS-based MFA. The publication of IOCs and detection signatures by Cisco Talos confirms this is an active, real-world threat that defenders must address.
What is the exposure or risk?
Once executed, the fake update installs CloudZ and establishes a persistent foothold on the endpoint. Beyond SMS and OTP theft, the malware can:
- Harvest browser-stored data
- Profile the system
- Execute arbitrary commands
- Manage and exfiltrate files
- Load additional plugins
- Record screen activity
These capabilities provide attackers with broad control over the system, significantly increasing the risk of credential theft, MFA bypass, and full endpoint compromise. Obfuscated C2 traffic and anti-analysis techniques further complicate detection and response.
What are the recommendations?
Barracuda strongly recommends organizations take these additional steps to defend their machines:
- Prefer app-based authenticators or hardware security keys over SMS-based OTPs
- Disable or strictly limit Microsoft Phone Link on corporate endpoints where not required
- Treat Phone Link data (e.g., PhoneExperiences-.db) as sensitive and monitor it with EDR/DLP tools
- Keep EDR/AV solutions updated with the latest CloudZ/Pheno IOCs and signatures
- Enforce application allowlisting to block untrusted update executables
- Monitor and restrict use of living-off-the-land binaries such as regasm.exe
- Enable detailed process, script, and network logging (e.g., Sysmon) and centralize in a SIEM
- Apply least-privilege access and remove unnecessary local admin rights
- Segment networks to limit lateral movement
- Train users to avoid unsolicited update prompts and report suspicious activity
- Isolate affected systems, investigate using known IOCs, and reset credentials and active sessions
References
For more in-depth information about the recommendations, please visit the following links:
- CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs
- CloudZ Malware Abuses Phone Link to Steal SMS OTPs – Infosecurity Magazine
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
