CloudZ Malware Deploys New Plugin to Hijack Microsoft Phone Link
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON — A new variant of the CloudZ remote access tool is deploying a previously unseen malicious plugin designed to hijack Microsoft Phone Link connections and steal sensitive codes from mobile devices.
The threat actor behind CloudZ has integrated a module named Pheno into the malware's infrastructure. The plugin targets the Microsoft Phone Link application, which is pre-installed on Windows 10 and 11 operating systems and facilitates connectivity between PCs and Android or iOS smartphones. By exploiting this connection, the malware intercepts authentication data transmitted between devices.
Security researchers identified the activity on May 5, 2026. The Pheno plugin specifically targets credentials and temporary passcodes, including SMS messages and one-time passwords (OTPs). The attack vector allows the malware to capture these codes in real-time as they appear on the victim's mobile screen or notification center.
Microsoft Phone Link serves as a bridge for users to manage calls, messages, and notifications from their phones directly on their desktops. The malware leverages this functionality to gain unauthorized access to the mobile device's data stream. Once the CloudZ RAT is installed on a Windows machine, the Pheno plugin activates to monitor the Phone Link service. It does not require the user to grant additional permissions beyond the standard setup of the application.
The campaign appears to be global, targeting users across various regions where Microsoft Phone Link is utilized. The malware's ability to bypass traditional security measures stems from its integration with a legitimate system function. By masquerading as a standard background process, the plugin avoids immediate detection by antivirus software.
Cybersecurity experts warn that the theft of OTPs and SMS codes poses a significant risk to financial accounts and corporate credentials. Attackers can use the stolen codes to bypass two-factor authentication protocols, granting them full access to protected services. The sophistication of the Pheno plugin indicates an evolution in the CloudZ threat actor's capabilities, moving beyond simple data exfiltration to active session hijacking.
Microsoft has not yet issued a specific advisory regarding the Pheno plugin. The company typically addresses vulnerabilities in its software through regular security updates. Users are advised to ensure their Windows operating systems and the Phone Link application are updated to the latest versions. Additionally, enabling multi-factor authentication methods that do not rely on SMS, such as hardware keys or authenticator apps, may mitigate the risk.
The full scope of the campaign remains unclear. It is unknown how many systems have been compromised or if the malware has been active for a period longer than the initial detection. Further analysis is required to determine if other legitimate applications are being targeted with similar plugins. The incident highlights the growing reliance on cross-device connectivity and the potential vulnerabilities inherent in such integrations.