CLOUDZ Malware Abuses Phone Link to Steal SMS OTPs, a Windows malware toolkit observed to hijack Microsoft’s Phone Link to harvest SMS messages and one-time passwords from victim machines. The activity has been ongoing since at least January 2026, according to Cisco Talos. At the heart of the operation are a remote access tool named CloudZ and a previously undocumented plugin called Pheno, which work together to harvest credentials and intercept authentication codes synced from a paired smartphone.
Pheno continuously scans for keywords related to Phone Link and flags live sessions for follow-on data collection once a relay is detected. The infection chain began with a fake ScreenConnect update, with a Rust-compiled loader dropping a .NET loader and using regasm[.]exe to deploy CloudZ, then running at system startup under the SYSTEM account. Cisco Talos has published indicators of compromise and ClamAV signatures to help defenders detect and block this activity.