{"id":216136,"date":"2026-05-19T02:50:06","date_gmt":"2026-05-19T06:50:06","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/19\/cloudz-malware-abuses-microsoft-phone-link-to-steal-sms-and-otps\/"},"modified":"2026-05-19T02:50:10","modified_gmt":"2026-05-19T06:50:10","slug":"cloudz-malware-abuses-microsoft-phone-link-to-steal-sms-and-otps","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/19\/cloudz-malware-abuses-microsoft-phone-link-to-steal-sms-and-otps\/","title":{"rendered":"CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs"},"content":{"rendered":"

CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs<\/a><\/p>\n

https:\/\/www.bleepingcomputer.com\/news\/security\/cloudz-malware-abuses-microsoft-phone-link-to-steal-sms-and-otps\/<\/a><\/p>\n

Publish Date: 2026-05-05 06:03:52<\/a><\/p>\n

Source Domain: www.bleepingcomputer.com<\/a><\/p>\n

Summary:<\/strong>
\nThis article reveals Cisco Talos\u2019s discovery of a new malicious plugin named Pheno within the CloudZ remote access tool (RAT). The malware exploits the Microsoft Phone Link application, installed on Windows 10 and 11, to steal credentials and temporary passcodes from mobile devices without directly compromising the mobile device. Pheno monitors for active Phone Link sessions and accesses the application\u2019s local SQLite database to intercept sensitive codes sent via SMS. Alongside, CloudZ targets browsers for data extraction and carries out multiple operations including file management and shell command execution. The infection chain starts with a fake ScreenConnect update used to install a Rust-based loader that deploys a.NET loader for CloudZ RAT establishment. Cisco has published indicators of compromise to aid defenders in identifying and mitigating these threats. To combat such risks, users are advised to avoid SMS-based OTP services and use phishing-resistant solutions like hardware keys.<\/p>\n

Key Points:<\/strong><\/p>\n