TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Cyberattacks & Data Breaches Trellix Source Code Breach Highlights Growing Supply Chain Threats Trellix Source Code Breach Highlights Growing Supply Chain Threats by Rob Wright May 5, 2026 3 Min Read Vulnerabilities & Threats Why Security Leadership Makes or Breaks a Pen Test Why Security Leadership Makes or Breaks a Pen Test by Jai Vijayan May 5, 2026 5 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cyberattacks & Data Breaches Endpoint Security Mobile Security Remote Workforce News Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA In hard-to-detect attacks, hackers are dropping the CloudZ RAT and a fresh plugin, Pheno, to hijack the Windows-based bridge between PCs and smartphones. Elizabeth Montalbano , Contributing Writer May 6, 2026 4 Min Read Source: Mohd Izzuan Rosian via Alamy Stock Photo Attackers are abusing a Microsoft Windows tool with an intent to spy on and steal SMS messages and one-time-passwords (OTPs) from mobile devices. In an ongoing threat campaign that started in January, they first compromise PCs, and then use malware to abuse a link to the devices to intercept and steal data, researchers have discovered. According to researchers from Cisco Talos, the attack shows a unique attack flow with the actors abusing a Microsoft Phone Link on a Windows PC to exploit the trust relationship the tool creates with smartphones. In a report published this week. Phone Link, which is preinstalled on Windows 10 and 11 and was previously called "Your Phone," is a built-in Windows app that syncs text messages, notifications, and calls between mobile devices and PCs. Attackers use a combination of the modular CloudZ remote access Trojan (RAT) and a new plugin, Pheno, to hijack the bridge between Phone Link and devices. Pheno continuously scans for active Phone Link processes and can potentially intercept sensitive mobile data like SMS messages and two-factor authentication (2FA), all without actually deploying malware on the phone, according to the researchers. Related: Middle East Cyber Battle Field Broadens — Especially in UAE "With confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file…on the victim machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages," Cisco Talos researchers Alex Karkins and Chetan Raghuprasad wrote in the report. Phone Link's Cross-Device Sync Abused The findings demonstrate how cross-device syncing can create an unexpected path to credential theft without attackers ever manipulating the mobile device itself, Cisco Talos tells Dark Reading. By abusing a legitimate Windows functionality, attackers could gain a 2FA bypass capability — effectively eliminating an identity authentication step many users think keeps their devices secure. Microsoft did not immediately reply to Dark Reading's request for comment Wednesday on the attack. Cisco Talos learned from telemetry data that an intrusion they observed began with unknown initial access vector to the victim's environment, leading to the execution of a fake ScreenConnect app-update executable. This in turn executes an intermediate .NET loader executable, which subsequently deploys the modular CloudZ RAT on the victim’s machine. CloudZ includes capabilities for browser credential theft, shell command execution, screen recording, plugin deployment, and file management. Upon execution, it decrypts its configuration data, establishes an encrypted socket connection to the command-and-control (C2) server, and enters its command dispatcher mode. Related: Trellix Source Code Breach Highlights Growing Supply Chain Threats "CloudZ facilitates the command-and-control (C2) commands to exfiltrate credentials from the victim machine browser data, and it downloads and implants a plug-in, which performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the reconnaissance data to an output file in a staging folder," the researchers wrote. "CloudZ reads back the Phone Link application data from the staging folder and sends it to the C2 server ." The plug-in dropped by CloudZ in the attack is Pheno, malware that the researchers said they hadn't seen before. "Pheno is designed to detect if a user is currently syncing their mobile device to a Windows machine through the Phone Link application," according to the post. The plug-in does this by focusing specifically on reconnaissance of Phone Link processes such as "YourPhone" and "PhoneExperienceHost." If an active relay session is detected, the malware flags the system as "Maybe connected," indicating the attackers may be able to monitor SMS traffic and OTP delivery. Related: How the Story of a USB Penetration Test Went Viral Mitigating & Avoiding 2FA Bypass Attacks The attack is yet more evidence that 2FA is not a foolproof way to protect people's personal and business accounts from being compromised, especially when device users in this case may be completely unaware that anything suspicious is happening. In fact, recent research from Proofpoint recently found that attackers are finding myriad ways around multifactor authentication (MFA), particularly via phishing kits, and its activation doesn't ensure that an account won't be compromised. In the case of the Phone Link attack, to protect users against 2FA compromise, defenders can methods of secondary authentication that don't rely on OTPs or SMS-based methods to eliminate the risk. Organizations using Windows PCs that have Phone Link pre-installed should determine if the app is really necessary for use by their employees and, if not, disable it to protect themselves from the attack, the researchers said. To help defenders understand if the attack has compromised a Windows PC and could be extracting data from connected devices, Cisco Talos posted indicators of compromise (IoCs) on a GitHub page. It also provided a specific ClamAV signature and Snort Rules (SIDs) for detecting and blocking the threat. Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral . Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. See more from Elizabeth Montalbano Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars Editor's Choice Cyber Risk Physical Cargo Theft Gets a Boost From Cybercriminals Physical Cargo Theft Gets a Boost From Cybercriminals by Robert Lemos May 4, 2026 5 Min Read Cyber Risk NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later by Dark Reading Editorial Team Apr 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars How Well Can You See What's in Your Cloud? Thurs, June 4, 2026 at 1:00pm EST Implementing CTEM: Beyond Vulnerability Management Thurs, May 21, 2026 at 1pm EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Mon, May 11, 2026 at 1:00pm ET Tips for Man