The activity centres on CloudZ, a modular remote access trojan deployed on Windows machines, and a previously undocumented plugin called Pheno. The malware has been observed in an intrusion active since at least January 2026, using the trust relationship between a Windows PC and a paired mobile device to reach SMS messages, call data and notification content synchronised through Phone Link.
Phone Link, built into Windows 10 and Windows 11, allows users to read and reply to messages, view notifications, make calls and manage mobile activity from a PC. That convenience is now being turned into an attack path. Once a computer is compromised, Pheno scans for active Phone Link processes and attempts to access local data linked to the paired device, including SQLite database files that may store synchronised messages and notification history.
The technique is significant because it avoids one of the harder steps in mobile-focused crime: infecting the handset. Attackers instead compromise the Windows endpoint, then abuse a legitimate Microsoft feature already authorised by the user. Where SMS codes are used for banking, email, cloud services, cryptocurrency accounts or corporate logins, the attack can weaken two-factor authentication and help criminals move from device compromise to account takeover.
The observed infection chain began with an unknown initial access method that led to the execution of a fake ScreenConnect update file. That file dropped a. NET loader, which deployed CloudZ on the victim system. The malware then decrypted its configuration, created an encrypted connection with a command-and-control server and waited for instructions. Its command set includes browser data theft, system profiling, shell command execution, screen recording, file management and plugin deployment.
Pheno gives the operation its distinctive edge. The plugin performs reconnaissance on Phone Link, writes findings to a staging directory and allows CloudZ to retrieve and transmit the collected data to attacker infrastructure. The staging path identified in technical analysis used a Windows system-style location under ProgramData, a tactic often used to blend malicious files with legitimate application artefacts.
CloudZ also uses defensive checks to frustrate analysis. Critical functions run dynamically in memory, while anti-debugging and sandbox-detection routines are designed to make automated inspection harder. Such behaviour suggests the operators expected scrutiny from endpoint security tools and threat researchers.
The campaign has not been publicly tied to a named criminal group or state-backed actor. Its target profile also remains unclear, but the tooling points to credential theft as the central objective. Browser credential harvesting, OTP interception and screen recording together provide attackers with a broad set of options: stealing saved logins, capturing session information, watching authentication flows and extracting temporary codes before they expire.
The abuse of Phone Link reflects a wider shift in cybercrime. Attackers are increasingly targeting trusted integrations rather than relying only on classic malware implants. Features built for convenience, productivity and device continuity can become high-value channels when one part of the user’s digital environment is breached. Cross-device syncing expands the attack surface because sensitive mobile content is replicated on a less protected endpoint.
The risk is sharper for organisations that still depend heavily on SMS-based authentication. Security agencies and standards bodies have long warned that SMS one-time codes are weaker than phishing-resistant methods because they can be intercepted, forwarded or captured through social engineering, SIM-swap fraud, compromised telecom channels or malware-assisted access. CloudZ adds another route by targeting the computer that receives synchronised phone content.
Enterprises are likely to respond by tightening controls around Phone Link and similar tools. Administrators can restrict consumer sync applications on managed devices, monitor access to Phone Link database files, alert on unusual ProgramData staging behaviour and review endpoint telemetry for fake remote-support updates. Organisations handling financial, government, legal or healthcare data may need to decide whether cross-device messaging features belong on high-risk systems at all.
Users face a more practical challenge. Many people connect phones to laptops for convenience and assume that SMS codes remain protected because the handset itself is untouched. This campaign shows that a compromised PC can undermine that assumption. Keeping Windows systems patched, removing unused device-pairing links, disabling Phone Link where it is not needed and avoiding unsolicited software updates remain basic safeguards.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
