• Home
  • Technology
  • CloudZ RAT Malware Could Exploit Microsoft Phone Link App to Access Messages and OTPs, Researchers Warn
CloudZ RAT Malware Could Exploit Microsoft Phone Link App to Access Messages and OTPs, Researchers Warn

CloudZ RAT Malware Could Exploit Microsoft Phone Link App to Access Messages and OTPs, Researchers Warn


Microsoft’s Phone Link app could become a target for threat actors if a connected Windows PC is infected with malware. According to security researchers, an ongoing campaign potentially targets victims with a remote access trojan (RAT) called CloudZ. It reportedly compromises systems and can intercept sensitive information synced between smartphones and PCs when using the Phone Link app. Researchers say the attack began earlier this year and raises concerns regarding notifications, messages, and one-time passwords (OTPs) synced between the phone and the PC.

According to cybersecurity researchers at Cisco Talos, threat actors are leveraging the Microsoft Phone Link app to access synced mobile data on a compromised Windows computer. The app, notably, serves as a bridge between smartphones and PCs, allowing users to access their phone’s notifications, messages, and calls directly from their computers.

Researchers uncovered that attackers are deploying a modular malware called CloudZ RAT, along with an additional plugin named “Pheno.” As per the blog post, the plugin specifically scans systems for active Phone Link sessions and attempts to monitor related processes such as “YourPhone,” “PhoneExperienceHost,” and “Link to Windows.”

Once an active Phone Link connection is detected, attackers can potentially intercept the app’s SQLite database files, including “PhoneExperiences-*.db,” which reportedly contains synced SMS messages, call logs, and notification history. Researchers say this could expose sensitive information such as OTPs and authentication notifications synced between a phone and PC.

How the CloudZ RAT Phone Link Attack Works

Talos says the intrusion chain begins with victims being tricked into installing what appears to be a legitimate ScreenConnect software update. The fake installer reportedly drops a malicious Rust-based loader disguised under filenames such as “systemupdates.exe” or “Windows-interactive-update.exe.”

Once executed, the loader installs an intermediate .NET component. This is said to eventually deploy the malicious CloudZ RAT malware onto the system. It can decrypt the configuration data, connect to attacker-controlled servers, and enter a command mode that is capable of downloading plugins and stealing information.

In simple terms, the fake update file, when opened, quietly installs another hidden program on the PC. This program then downloads and installs the CloudZ malware. Once active, the malware connects to servers controlled by hackers and waits for instructions. It can then download extra malicious tools, monitor activity on the device, and steal sensitive information from the infected system.

Researchers also noted that CloudZ uses several evasion techniques to avoid detection, including obfuscation and anti-debugging checks. It reportedly rotates user-agent strings to disguise malicious traffic within legitimate browser activity. The malware uses multiple fallback methods, including curl, PowerShell, and bitsadmin, to download payloads.

What Users Should Know

Researchers have warned that since Phone Link mirrors notifications and messages between devices, an infected PC could potentially expose private conversations, authentication alerts, and OTP codes synced from a phone. According to Talos, the malware reportedly stores gathered reconnaissance data in temporary staging folders before exporting it to attacker-controlled servers.

The Pheno plugin may also reportedly check if Phone Link is actively routing traffic through a local proxy connection before attempting to monitor synced data. Researchers recommend downloading software updates only from trusted sources and keeping antivirus protection enabled on their PCs to detect any suspicious activity.



Source link

Related Posts

YouTube Bug Reportedly Freezes Browser Tabs, Increases CPU and Memory Usage

YouTube seems to be behind a wave of browser slowdowns, with users reporting heavy lag, stuttering videos, and…

ByBySaartaj Jul 4, 2026

Gemini App Reportedly Gets Extensive UI Redesign on iOS With New Animated Interface

Google may be working on a major redesign for its Gemini app, and early glimpses suggest a more…

ByBySaartaj Jul 4, 2026

WhatsApp Could Soon Begin Testing Redesigned Liquid Glass UI for Chats on iOS: Report

WhatsApp may be working on bringing its Liquid Glass design to the chat interface, continuing its broader visual…

ByBySaartaj Jul 4, 2026

Sony Alpha 7R VI Full-Frame Mirrorless Camera Launched in India: Price, Specifications

The Sony Alpha 7R VI was launched in India on Wednesday, following its global debut in May. The…

ByBySaartaj Jul 4, 2026

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top