Executive Summary
In May 2026, cybersecurity researchers identified a new variant of the CloudZ remote access tool (RAT) that employs a malicious plugin named Pheno to exploit Microsoft's Phone Link application. This malware monitors active Phone Link sessions on Windows 10 and 11 systems, accessing the application's local SQLite database to intercept SMS messages and one-time passwords (OTPs) without compromising the associated mobile device. The attack chain begins with a fake ScreenConnect update, leading to the deployment of a Rust-based loader, followed by a .NET loader that installs CloudZ RAT and establishes persistence via a scheduled task. The .NET loader includes anti-analysis checks to evade detection. (bleepingcomputer.com)
This incident underscores the evolving tactics of threat actors who are increasingly targeting desktop applications that bridge connections to mobile devices. By compromising the Phone Link application, attackers can bypass traditional mobile security measures and directly access sensitive authentication codes, highlighting the need for enhanced security protocols in cross-device applications. (csoonline.com)
Why This Matters Now
The exploitation of Microsoft's Phone Link by the CloudZ malware represents a significant shift in attack vectors, emphasizing the urgency for organizations to reassess the security of applications that synchronize data between devices. This method allows attackers to intercept sensitive information without direct access to mobile devices, posing a substantial risk to multi-factor authentication systems reliant on SMS-based OTPs. (bleepingcomputer.com)
Attack Path Analysis
The attacker initiated the attack by tricking the victim into executing a fake ScreenConnect update, leading to the deployment of a Rust-based loader. This loader installed a .NET component that established persistence and deployed the CloudZ RAT. The CloudZ RAT, equipped with the Pheno plugin, monitored active Microsoft Phone Link sessions to access the local SQLite database, extracting SMS messages and one-time passwords. The RAT maintained communication with the attacker's command and control servers, allowing remote execution of commands and data exfiltration. Sensitive information, including authentication codes, was exfiltrated, potentially compromising user accounts. The attack's impact included unauthorized access to user accounts and potential data breaches due to the theft of authentication codes.
Kill Chain Progression
Initial Compromise
Description
The attacker tricked the victim into executing a fake ScreenConnect update, leading to the deployment of a Rust-based loader.
MITRE ATT&CK® Techniques
Application Layer Protocol: Web Protocols
Command and Scripting Interpreter: PowerShell
Process Injection
Valid Accounts
Screen Capture
Data from Local System
Input Capture: Keylogging
Application Layer Protocol: File Transfer Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
CloudZ infostealer targeting SMS-based OTPs directly threatens financial authentication systems, potentially compromising banking transactions and multi-factor authentication protocols.
Banking/Mortgage
Microsoft Phone Link exploitation enables SMS interception of banking OTPs, bypassing traditional mobile security and compromising customer account authentication mechanisms.
Health Care / Life Sciences
Patient portal authentication via SMS codes vulnerable to CloudZ interception, risking HIPAA compliance violations and unauthorized access to protected health information.
Information Technology/IT
IT infrastructure relying on SMS-based two-factor authentication faces significant risk from Phone Link database exploitation and credential theft capabilities.
Sources
- CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPshttps://www.bleepingcomputer.com/news/security/cloudz-malware-abuses-microsoft-phone-link-to-steal-sms-and-otps/Verified
- CloudZ RAT potentially steals OTP messages using Pheno pluginhttps://blog.talosintelligence.com/cloudz-pheno-infostealer/Verified
- Stealthy malware abuses Microsoft Phone Link to siphon SMS OTPs from enterprise PCshttps://www.csoonline.com/article/4167092/stealthy-malware-abuses-microsoft-phone-link-to-siphon-sms-otps-from-enterprise-pcs.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally, establish command and control channels, and exfiltrate sensitive data, thereby reducing the overall impact of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Aviatrix Zero Trust CNSF would likely limit the attacker's ability to exploit compromised workloads by enforcing strict segmentation and access controls.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing least-privilege access controls.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely limit the attacker's ability to move laterally within the network by enforcing strict traffic controls between workloads.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely limit the attacker's ability to establish and maintain command and control channels by monitoring and controlling outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate sensitive data by enforcing strict egress policies.
Aviatrix Zero Trust CNSF would likely reduce the overall impact of the attack by limiting the attacker's ability to access and exfiltrate sensitive data.
Impact at a Glance
Affected Business Functions
- User Authentication
- Access Control
- Secure Communications
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of SMS-based one-time passwords (OTPs) and other sensitive authentication messages.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict unauthorized lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to malicious activities promptly.
- • Enforce the use of phishing-resistant multi-factor authentication methods, such as hardware tokens, to protect user accounts.
- • Educate users on recognizing and avoiding phishing attempts to reduce the risk of initial compromise.
