Posted in

New Malware Steals OTPs Using Microsoft Phone Link

by Rakesh0

A newly discovered malware campaign is exposing a dangerous shift in attacker tactics:

👉 Your phone doesn’t need to be infected anymore… your PC is enough.

Security researchers have uncovered a remote access tool (RAT) called CloudZ, paired with a custom plugin named Pheno, that can silently intercept SMS messages, notifications, and one-time passwords (OTPs)—without ever touching the victim’s mobile phone.

Instead of attacking the phone directly, this malware exploits a trusted bridge:
👉 Microsoft Phone Link

What Is Microsoft Phone Link — and Why It’s Being Targeted

Microsoft Phone Link is a legitimate application used by millions of users to:

  • Sync phone notifications to Windows
  • View and send SMS messages
  • Access call logs
  • Mirror mobile activity on a PC

👉 It essentially acts as a live bridge between your phone and your computer

CloudZ turns this convenience feature into a surveillance tool.

What Makes This Attack Unique

Unlike traditional mobile malware, this campaign:

✅ Does NOT infect the smartphone
✅ Does NOT require rooting or mobile exploits
✅ Does NOT need user interaction on the phone

👉 It simply hijacks the existing trusted connection between devices

How the CloudZ Attack Works (Step-by-Step)

1) Initial infection (fake update)

The attack begins on the PC:

  • Victim downloads a fake update for a remote support tool
  • Executes a malicious file disguised as a system update
  • This drops a hidden .NET loader

2) CloudZ RAT deployment

Once executed:

  • The RAT bypasses basic security checks
  • Gains control of the system
  • Prepares additional modules

3) Pheno plugin activation

This is where things get interesting.

Pheno scans for active Phone Link processes:

  • “YourPhone”
  • “PhoneExperienceHost”
  • “Link to Windows”

👉 If detected, it confirms that the PC is paired with a mobile device

4) Verifying active connection

The malware checks whether Phone Link is actively routing data between devices.

If confirmed: 👉 It signals the attacker: “Target ready”

5) Extracting sensitive data from local database

Instead of accessing the phone directly, CloudZ reads:

👉 A local SQLite database on the PC

File example:

  • PhoneExperiences-*.db

This database contains:

  • SMS messages
  • App notifications
  • Call logs

The Critical Risk: OTP and MFA Bypass

This is where the attack becomes extremely dangerous.

If OTP codes (banking, email, authentication) are synced to Phone Link:

👉 The attacker can read them from the PC

That means:

  • No need to access the victim’s phone
  • No need to intercept SMS traffic
  • No need to break encryption

👉 They simply read the OTPs locally

💀 Result:

Two-Factor Authentication can be bypassed
without compromising the second factor itself

Advanced Evasion Techniques

CloudZ is engineered for long-term stealth.

Anti-analysis features

It checks for tools like:

  • Wireshark
  • Procmon
  • Fiddler
  • Sysmon

If detected: 👉 It terminates immediately

In-memory execution

Sensitive functions are:

  • Generated dynamically
  • Executed in memory

👉 Making detection and reverse engineering harder

Living-off-the-land techniques

CloudZ uses legitimate tools like:

  • regasm.exe

👉 Blends malicious activity with normal system operations

Persistence Mechanism

To survive reboots, CloudZ:

  • Creates a scheduled task: SystemWindowsApis
  • Runs at startup under SYSTEM privileges
  • Ensures continuous access for attackers

Command-and-Control Evasion

CloudZ avoids traditional detection:

  • Rotates browser-like user agents (Chrome, Safari, Firefox)
  • Uses Pastebin-hosted configuration
  • Pulls C2 infrastructure dynamically

👉 Blocking static IPs alone is not enough

Why This Attack Is So Dangerous

This is not just another RAT.

It introduces a new category of risk:

✅ Device-to-device trust abuse

Instead of breaking into the phone: 👉 It exploits how devices trust and sync with each other

✅ MFA bypass without compromise

No phishing of OTPs
No SIM swapping

👉 Just reading synced messages locally

✅ Invisible attack surface

Most organizations monitor:

  • Endpoints
  • Network traffic
  • Mobile devices

👉 But NOT:

  • Cross-device sync apps

What Security Teams Must Learn

1) Sync apps are a new attack surface

Anything that mirrors data is a potential entry point.

2) MFA is not bulletproof

If OTPs are exposed via another channel: 👉 MFA can be bypassed

3) Endpoint compromise = identity compromise

Once attackers control the PC: 👉 They control everything synced to it

4) Trust relationships can be weaponized

The weakest link is often: 👉 A legitimate feature used in unintended ways

Detection and Mitigation

Immediate actions:

✅ Monitor for unusual Phone Link database access
✅ Detect unauthorized use of regasm.exe
✅ Restrict installation of untrusted remote tools
✅ Disable Phone Link where not required
✅ Monitor scheduled tasks with suspicious names
✅ Watch for unexpected outbound traffic patterns

Advanced controls:

✅ Endpoint Detection & Response (EDR) with memory monitoring
✅ Application allowlisting
✅ Privileged access monitoring
✅ Behavioral analytics on sync applications

Indicators of Compromise (Defanged)

C2 Infrastructure

  • 185[.]196[.]10[.]136:8089
  • hxxps[://]round-cherry-4418[.]hellohiall[.]workers[.]dev
  • https[://]pastebin[.]com/raw/8pYAgF0Z

Suspicious Files

  • systemupdates.exe
  • Windows-interactive-update.exe
  • pheno.exe

Persistence

  • Scheduled task: SystemWindowsApis

⚠️ Note: Indicators are defanged. Re-enable only in controlled environments.

Common Misconceptions

❌ “My phone is secure, so I’m safe”
👉 Your PC can expose your phone data

❌ “MFA protects everything”
👉 Synced OTPs can bypass MFA

❌ “It’s just a remote access tool”
👉 It’s a cross-device attack platform

FAQs

Does this malware infect the phone?
No. It exploits the connection between the phone and the PC.

What data is stolen?
SMS messages, notifications, OTP codes, and call logs.

Why is this dangerous?
Because it allows attackers to bypass authentication mechanisms without access to the phone.

Conclusion

CloudZ is a wake-up call for modern security models.

👉 The attack didn’t break into the phone
👉 It broke into the relationship between devices

This represents a broader shift:

The next generation of attacks won’t target devices individually
They’ll target the connections between them

For defenders, that means:

✅ Expanding visibility beyond endpoints
✅ Monitoring cross-device data flows
✅ Rethinking how trust is enforced

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *