Microsoft’s Phone Link app could become a target for threat actors if a connected Windows PC is infected with malware. According to security researchers, an ongoing campaign potentially targets victims with a remote access trojan (RAT) called CloudZ. It reportedly compromises systems and can intercept sensitive information synced between smartphones and PCs when using the Phone Link app. Researchers say the attack began earlier this year and raises concerns regarding notifications, messages, and one-time passwords (OTPs) synced between the phone and the PC.
What Is the CloudZ RAT Phone Link Attack?
AccordingĀ to cybersecurity researchers at Cisco Talos, threat actors are leveraging the Microsoft Phone Link app to access synced mobile data on a compromised Windows computer. The app, notably, serves as a bridge between smartphones and PCs, allowing users to access their phone’s notifications, messages, and calls directly from their computers.
Researchers uncovered that attackers are deploying a modular malware called CloudZ RAT, along with an additional plugin named āPheno.ā As per the blog post, the plugin specifically scans systems for active Phone Link sessions and attempts to monitor related processes such as āYourPhone,ā āPhoneExperienceHost,ā and āLink to Windows.ā
Once an active Phone Link connection is detected, attackers can potentially intercept the app’s SQLite database files, including āPhoneExperiences-*.db,ā which reportedly contains synced SMS messages, call logs, and notification history. Researchers say this could expose sensitive information such as OTPs and authentication notifications synced between a phone and PC.
How the CloudZ RAT Phone Link Attack Works
Talos says the intrusion chain begins with victims being tricked into installing what appears to be a legitimate ScreenConnect software update. The fake installer reportedly drops a malicious Rust-based loader disguised under filenames such as āsystemupdates.exeā or āWindows-interactive-update.exe.ā
Once executed, the loader installs an intermediate .NET component. This is said to eventually deploy the malicious CloudZ RAT malware onto the system. It can decrypt the configuration data, connect to attacker-controlled servers, and enter a command mode that is capable of downloading plugins and stealing information.
In simple terms, the fake update file, when opened, quietly installsĀ another hidden program on the PC. This program then downloads and installs the CloudZ malware. Once active, the malware connects to servers controlled by hackers and waits for instructions. It can then download extra malicious tools, monitor activity on the device, and steal sensitive information from the infected system.
Researchers also noted that CloudZ uses several evasion techniques to avoid detection, including obfuscation and anti-debugging checks. It reportedly rotates user-agent strings to disguise malicious traffic within legitimate browser activity. The malware uses multiple fallback methods, including curl, PowerShell, and bitsadmin, to download payloads.
What Users Should Know
Researchers have warned that since Phone Link mirrors notifications and messages between devices, an infected PC could potentially expose private conversations, authentication alerts, and OTP codes synced from a phone. According to Talos, the malware reportedly stores gathered reconnaissance data in temporary staging folders before exporting it to attacker-controlled servers.
The Pheno plugin may also reportedly check if Phone Link is actively routing traffic through a local proxy connection before attempting to monitor synced data. Researchers recommend downloading software updates only from trusted sources and keeping antivirus protection enabled on their PCs to detect any suspicious activity.
