Cybercriminals Exploit Windows Phone Link to Steal Credentials and OTPs
In a recent cybersecurity development, researchers have uncovered a sophisticated intrusion involving the CloudZ remote access tool (RAT) and a previously undocumented plugin named Pheno. This combination is being utilized to steal user credentials and potentially intercept one-time passwords (OTPs).
According to Cisco Talos researchers Alex Karkins and Chetan Raghuprasad, the functionalities of CloudZ RAT and the Pheno plugin are specifically designed to facilitate credential theft. The attack leverages the Microsoft Phone Link application, a legitimate feature in Windows 10 and 11 that allows users to synchronize their PCs with Android or iOS devices over Wi-Fi and Bluetooth. This synchronization enables users to make calls, send messages, and receive notifications directly from their computers.
The novelty of this attack lies in its method of hijacking the PC-to-phone bridge established by the Phone Link application. By exploiting this bridge, the Pheno plugin can monitor active Phone Link processes and potentially intercept sensitive mobile data, such as SMS messages and OTPs, without the need to deploy malware on the mobile device itself. This approach highlights how legitimate cross-device syncing features can inadvertently create vulnerabilities, exposing users to credential theft and bypassing two-factor authentication mechanisms.
The intrusion campaign has been active since at least January 2026, though it has not been attributed to any known threat actor or group. The attack chain begins with an undetermined initial access method that allows the attackers to gain a foothold on the victim’s system. Once access is obtained, a fake ConnectWise ScreenConnect executable is dropped, which downloads and runs a .NET loader. This loader includes an embedded PowerShell script that establishes persistence by setting up a scheduled task to run the malicious .NET loader.
The intermediate loader performs hardware and environment checks to evade detection before deploying the modular CloudZ trojan on the compromised machine. Upon execution, the trojan decrypts an embedded configuration, establishes an encrypted socket connection to the command-and-control (C2) server, and awaits Base64-encoded instructions. These instructions enable the trojan to exfiltrate credentials and implant additional plugins.
CloudZ supports a variety of commands, including:
– `pong`: Sends heartbeat responses.
– `PING!`: Issues a heartbeat request.
– `CLOSE`: Terminates the trojan process.
– `INFO`: Collects system metadata.
– `RunShell`: Executes shell commands.
– `BrowserSearch`: Exfiltrates web browser data.
– `GetWidgetLog`: Exfiltrates Phone Link reconnaissance logs and data.
– `plugin`: Loads a plugin.
– `savePlugin`: Saves a plugin to disk at the staging directory (`C:\ProgramData\Microsoft\whealth\`).
– `sendPlugin`: Uploads a plugin to the C2 server.
– `RemovePlugins`: Removes all deployed plugin modules.
– `Recovery`: Enables recovery or reconnection.
– `DW`: Conducts download and file write operations.
– `FM`: Conducts file management operations.
– `Msg`: Sends a message to the C2 server.
– `Error`: Reports errors to the C2 server.
– `rec`: Records the screen.
The Pheno plugin is specifically used to perform reconnaissance of the Windows Phone Link application on the victim’s machine. By monitoring active Phone Link processes, the plugin can access the SQLite database file used by the application to store synchronized phone data. This access allows attackers to intercept sensitive information, including SMS messages and OTPs, without compromising the mobile device itself.
This attack underscores the potential risks associated with legitimate cross-device synchronization features. While these features are designed to enhance user convenience, they can also be exploited by cybercriminals to gain unauthorized access to sensitive information. Users are advised to exercise caution when enabling such features and to implement robust security measures to protect their devices and data.
