Misryoum reports CloudZ’s Pheno plugin hijacks Microsoft Phone Link to access SMS and OTPs via a local database.
A fresh malware plugin is turning Microsoft’s Phone Link feature into a new weak spot for stealing one-time passwords, and it is happening without needing to compromise a victim’s mobile device directly.
Misryoum reports that CloudZ, a remote access tool, has been observed deploying a previously unseen plugin called Pheno. The plugin is designed to hijack the Microsoft Phone Link connection on Windows 10 and 11, aiming to capture sensitive messages that originate from a target’s phone.
Phone Link, which is commonly used to manage calls, text responses, and notifications from an Android or iOS device, may appear harmless on the surface. But the Pheno plugin looks specifically for active Phone Link sessions and then pulls data from Phone Link’s local storage.
Misryoum notes that, according to the findings, Pheno monitors Phone Link activity and accesses a local SQLite database that may contain SMS content and one-time passwords. That means an attacker can potentially collect codes tied to account access while staying focused on the Windows side.
This matters because OTPs and SMS-based verification are often treated as “safe” layers. When malware can extract them from legitimate companion apps, the usual assumptions about account security and device compromise get weakened.
Beyond the Phone Link-focused behavior, CloudZ includes broader remote control capabilities.. Misryoum says it supports common actions such as file management. command execution. screen recording. and loading or removing additional plugins. along with mechanisms to stop the malware process.. The tool also takes steps to make its network traffic blend in by rotating among hardcoded user-agent strings and using anti-caching headers to limit how communications are stored by intermediary services.
On the attack side, the chain begins with what Misryoum describes as a fake ScreenConnect update that drops a loader.. The loader then prepares the environment, installs CloudZ, and sets persistence through a scheduled task.. Misryoum adds that the same loader includes anti-analysis checks intended to detect sandboxes and analysis tools. including signals related to virtualized environments.
For defense, Misryoum emphasizes reducing exposure to intercepted authentication flows.. That includes avoiding SMS-based OTP services when possible and using phishing-resistant approaches such as hardware security keys for the most sensitive accounts.. Misryoum also highlights that organizations can use indicators of compromise shared as part of the investigation to strengthen detection and response.
In the end, the story is a reminder that “verification codes” are only as secure as the applications that handle them. If an attacker can watch or extract codes from connected desktop tooling, authentication can be bypassed even when the phone itself is not overtly compromised.