## What’s new

Cisco Talos researchers reported that a newer CloudZ RAT variant deploys a plugin called Pheno that looks for active Microsoft Phone Link sessions on a Windows machine.

Phone Link is built into Windows 10/11 and syncs calls, texts, and notifications from a mobile device to the PC. Pheno reportedly targets this integration by accessing Phone Link’s local SQLite database, which may contain SMS messages and OTP codes.

## Why it’s important

Many organizations still rely on SMS-based two-factor authentication for account recovery or “step-up” verification. If an attacker already has a foothold on a Windows endpoint, harvesting OTPs via Phone Link can reduce the friction of taking over email, banking, cloud, and SaaS accounts.

Critically, this technique may avoid the need to infect the mobile device itself—shifting the security burden to endpoint protection and Windows telemetry.

## Infection and persistence notes

According to the report, the intrusion chain included:

- A fake ScreenConnect update that drops a Rust-based loader

- A .NET loader that installs CloudZ and adds persistence via a scheduled task

- Anti-analysis checks (sandbox timing, analysis tool detection, VM indicators)

## Defensive takeaways

- Prefer phishing-resistant MFA (hardware keys/passkeys) for high-risk accounts.

- Minimize dependence on SMS OTP where possible.

- Monitor endpoints for suspicious access to Phone Link-related databases and abnormal scheduled-task creation.

- Validate software updates and download sources—especially for remote support tools.

## Source

BleepingComputer summary of Cisco Talos findings.