Malware

CloudZ RAT and Pheno Plugin Hijack Microsoft Phone Link to Bypass MFA Without Touching Your Phone

Cybersec Sentinel

May 5, 2026 • 8 min read


Group	Unknown threat actor, attribution unconfirmed
Type	Modular RAT with novel MFA-interception plugin
CVEs	None assigned. Exploits legitimate Windows application behaviour rather than a software vulnerability
Malware	CloudZ RAT — modular .NET remote access tool with credential theft, screen recording, and C2 capabilities. Pheno — previously undocumented plugin that hijacks Microsoft Phone Link to intercept SMS messages and OTPs from a linked Android or iPhone
Score	🟠 7.5 High. Actively deployed in real intrusions, bypasses SMS-based MFA without compromising the mobile device, and uses a novel abuse path that most endpoint security tools do not monitor
Observed	6 May 2026

Overview

A previously undocumented malware toolkit is actively targeting enterprise Windows environments by abusing Microsoft Phone Link, a built-in Windows application that mirrors a user's smartphone onto their PC. Cisco Talos disclosed the threat on 5 May 2026, following investigation of an intrusion active since at least January 2026.

The toolkit consists of two components working in tandem. CloudZ is a modular .NET remote access tool that handles C2 communication, credential theft from browsers, file operations, and screen recording. Pheno is a custom plugin delivered by CloudZ that performs something not previously observed in the wild: it intercepts SMS messages and OTPs stored in Phone Link's local SQLite database on the Windows machine, without ever touching or compromising the victim's mobile device.

The implications for enterprise MFA are serious. Organisations relying on SMS-based two-factor authentication to protect accounts are exposed, because an attacker who has already compromised a Windows endpoint can silently read incoming OTP codes from the PC without deploying any mobile malware. The attacker reads the same Phone Link database that Windows uses to display notifications on the desktop.

Attribution remains unconfirmed. Cisco Talos has not linked the activity to a known threat actor or nation-state group. The infection chain uses Cloudflare Workers infrastructure for staging and a single hardcoded C2 IP address, which suggests a moderately resourced attacker focused on operational security through legitimate cloud services.

Key Details

Delivery Method – Fake ScreenConnect application update executable, deployed after initial access to the victim's environment via an unknown vector

Target – Enterprise Windows 10 and Windows 11 endpoints where Microsoft Phone Link is active and linked to a smartphone

Functions

Intercept SMS messages and OTP codes from the Phone Link SQLite database on the PC
Steal credentials from web browser data stores
Execute arbitrary shell commands
Perform file management operations including download, delete, and write
Capture screen recordings of the victim machine
Dynamically load, save, and remove plugins at attacker direction
Terminate the RAT process to evade detection

Obfuscation – CloudZ RAT is obfuscated with ConfuserEx and executes critical functions dynamically in memory using .NET DynamicMethod and ILGenerator, preventing static analysis. The loader performs timing-based sandbox detection, checks for security tools including Wireshark, Fiddler, Procmon, and Sysmon, and verifies CPU core count and system path strings to detect virtual machine environments before deploying the RAT.

Attack Vectors

The intrusion begins with the victim executing a file masquerading as a ScreenConnect application update. Talos has not identified how this file reaches the victim, though social engineering or a compromised software update channel are the most likely vectors based on the ScreenConnect disguise.

Stage 1 — Rust Dropper: The fake update is a 64-bit Rust-compiled executable with filenames such as systemupdates.exe or Windows-interactive-update.exe, compiled on 1 January 2026. When executed, it decrypts and drops an embedded .NET loader to C:\ProgramData\Microsoft\windosDoc\ as update.txt or msupdate.txt. In at least one observed intrusion, the .NET loader was instead downloaded from an attacker-controlled Cloudflare Workers staging server using a curl command embedded in the dropper.

Stage 2 — .NET Loader and Persistence: The .NET loader runs a series of anti-analysis checks before doing anything else: a timing-based evasion test that measures actual sleep duration, process enumeration looking for Wireshark, Fiddler, Procmon, and Sysmon, and hardware checks that reject environments with fewer than two CPU cores or sandbox-related strings in the system path. If checks pass, it establishes persistence by creating a scheduled task named SystemWindowsApis under \Microsoft\Windows\, configured to run at startup with SYSTEM privileges via the legitimate Windows binary regasm.exe, a living-off-the-land technique that avoids dropping another executable. The loader then reflectively loads CloudZ RAT into memory.

Stage 3 — CloudZ RAT Establishes C2: CloudZ decrypts its embedded configuration, establishes an encrypted socket connection to the C2 server at 185.196.10.136, and enters command dispatcher mode. The RAT rotates between three hardcoded user-agent strings to blend its HTTP traffic with legitimate browser requests and uses anti-caching headers to prevent network intermediaries from logging C2 or staging server details.

Stage 4 — Pheno Plugin Deployed: CloudZ downloads the Pheno plugin from the staging infrastructure and loads it in memory. Pheno continuously monitors for active Microsoft Phone Link processes and, when a PC-to-phone connection is confirmed active, reads the application's local SQLite database file (PhoneExperiences-*.db) which stores synchronised SMS messages, call logs, and notification history from the linked mobile device. OTP codes received via SMS or authenticator app push notifications are exfiltrated to the C2 server alongside browser credentials.

Known Indicators of Compromise

Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.

File Hashes (SHA-256)

Hash	Type	Description
`65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac`	SHA-256	Rust dropper (systemupdates.exe variant)
`ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832`	SHA-256	.NET loader
`24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54`	SHA-256	.NET loader (alternate sample)
`5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321`	SHA-256	CloudZ RAT payload
`33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98`	SHA-256	Pheno plugin

C2 and Staging Infrastructure

Indicator	Type	Notes
`185[.]196[.]10[.]136`	IP	Hardcoded C2 server
`calm-wildflower-1349[.]hellohiall[.]workers[.]dev`	Domain	Staging server (Cloudflare Workers)
`orange-cell-1353[.]hellohiall[.]workers[.]dev`	Domain	Pheno plugin delivery
`round-cherry-4418[.]hellohiall[.]workers[.]dev`	Domain	Additional staging

Staging URLs

URL	Purpose
`hxxps[://]calm-wildflower-1349[.]hellohiall[.]workers[.]dev/`	.NET loader retrieval
`hxxps[://]orange-cell-1353[.]hellohiall[.]workers[.]dev/pheno[.]exe`	Pheno plugin download
`hxxps[://]round-cherry-4418[.]hellohiall[.]workers[.]dev/`	Staging server
`hxxps[://]pastebin[.]com/raw/8pYAgF0Z`	C2 config or data (single source — verify before blocking)

File System Artefacts

Path	Description
`C:\ProgramData\Microsoft\windosDoc\update.txt`	Dropped .NET loader (disguised as text file)
`C:\ProgramData\Microsoft\windosDoc\msupdate.txt`	Alternate .NET loader path
`%TEMP%\{GUID}\`	Non-.NET payload execution directory
`PhoneExperiences-*.db`	Phone Link SQLite database targeted by Pheno

Scheduled Task

Name	Path	Trigger
`SystemWindowsApis`	`\Microsoft\Windows\`	System startup, SYSTEM account, via regasm.exe

MITRE ATT&CK Techniques

Technique ID	Technique Name	Application in This Campaign
T1059.001	Command and Scripting Interpreter: PowerShell	PowerShell script creates persistence via scheduled task at startup
T1053.005	Scheduled Task/Job: Scheduled Task	SystemWindowsApis task persists the .NET loader across reboots
T1218.009	System Binary Proxy Execution: Regsvcs/Regasm	regasm.exe used as LOLBin to execute the .NET loader without a separate binary
T1036	Masquerading	Dropper disguised as ScreenConnect update; loader hidden as .txt file
T1620	Reflective Code Loading	CloudZ RAT reflectively loaded into memory from XOR-decrypted payload
T1005	Data from Local System	Pheno reads Phone Link SQLite database to harvest SMS and OTPs
T1083	File and Directory Discovery	Pheno scans for active Phone Link process and PhoneExperiences-*.db
T1497	Virtualisation/Sandbox Evasion	Timing check, tool detection, CPU core count, and path string analysis

Mitigation and Prevention

Block the Known Staging Infrastructure

Add the Cloudflare Workers domains and the C2 IP (185.196.10.136) to your DNS blocklist and firewall deny rules immediately. The hellohiall.workers.dev subdomain pattern is specific to this campaign. Consider alerting on all outbound connections to workers.dev subdomains that do not match an approved allowlist, as this infrastructure pattern is commonly abused for malware staging.

Monitor Phone Link Process Activity

Phone Link (PhoneExperiencesHost.exe) should not be accessed by scheduled tasks, regasm.exe, or processes running as SYSTEM. Configure endpoint detection rules to alert on any process other than the Phone Link application itself reading or querying PhoneExperiences-*.db SQLite database files. This file path is specific, and legitimate applications have no reason to access it.

Audit and Restrict Scheduled Tasks

Deploy alerting for new scheduled tasks created in the \Microsoft\Windows\ path, particularly tasks set to run as SYSTEM on startup. The task name SystemWindowsApis should be treated as an immediate indicator. Legitimate Windows tasks in this folder are generally created by the operating system or major vendors and do not change frequently.

Detect regasm.exe LOLBin Abuse

Regasm.exe is rarely invoked legitimately in most enterprise environments outside of developer machines. Alert on any execution of C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\regasm.exe where the argument includes a .txt filename or a path under C:\ProgramData. This living-off-the-land pattern is a reliable signal for this specific threat.

Replace SMS-Based MFA Immediately

This attack directly targets SMS OTP interception. Any account protected only by SMS-based two-factor authentication is exposed to credential theft without mobile device compromise if the Windows endpoint is breached. Migrate to FIDO2 hardware keys or time-based OTP apps that store secrets locally and do not sync to notification databases accessible by Phone Link.

Restrict or Disable Phone Link in High-Risk Environments

For environments handling sensitive credentials, financial data, or health records, evaluate whether Microsoft Phone Link should be enabled at all. The application can be disabled via Group Policy under Computer Configuration > Administrative Templates > System > Group Policy. Disabling the PC-to-phone bridge removes the attack surface Pheno relies on entirely.

Harden Against ConfuserEx-Obfuscated Payloads

CloudZ uses ConfuserEx, a .NET obfuscation framework commonly abused by malware authors. Configure your endpoint security tooling to flag or sandbox .NET assemblies obfuscated with ConfuserEx. Several EDR vendors and sandboxing platforms detect ConfuserEx signatures. Ensure your tooling is configured to treat these as high-confidence indicators requiring analyst review.

Risk Assessment

The Pheno plugin's approach to OTP interception is genuinely novel and specifically designed to work within legitimate Windows functionality. Most enterprise security teams monitor for mobile malware as the vector for OTP theft, but this campaign demonstrates that an attacker who controls a Windows endpoint can achieve the same result by reading data Phone Link has already synchronised from the phone. Every organisation that relies on SMS-based MFA and has Phone Link enabled on corporate endpoints is exposed to this technique once initial access is achieved.

The initial access vector in the observed intrusion remains unidentified by Cisco Talos, which is a significant gap. The use of a fake ScreenConnect update executable as a dropper suggests the attacker either compromised a legitimate ScreenConnect update channel, delivered the file through social engineering, or gained access via another method and then used the ScreenConnect disguise to blend in. ScreenConnect is widely deployed in enterprise and managed service provider environments, making it a high-value masquerade target.

The campaign has been active since at least January 2026, suggesting the attacker has had four months to deploy this toolkit at scale without triggering public disclosure. The use of Cloudflare Workers for staging is a deliberate operational security choice: traffic to workers.dev domains often appears in enterprise networks, complicating detection. The true number of victims is not yet known, but the long operational period before disclosure suggests more organisations may be affected than the single confirmed intrusion.

Conclusion

The single most important immediate action is to audit which endpoints have Microsoft Phone Link active, cross-reference that against your MFA configuration, and disable SMS-based OTP authentication for any account accessible from those machines. This removes the value of the Pheno plugin's core capability regardless of whether CloudZ is already present.

This threat reflects a clear shift in how attackers approach MFA bypass. Rather than targeting the phone directly, which typically requires a separate infection chain, attackers are exploiting the synchronisation bridges organisations have built between mobile devices and PCs. As Windows continues to deepen integration with smartphones, the attack surface that Phone Link represents will grow. Defenders need to treat PC-to-phone synchronisation applications as a credential access risk, not just a productivity tool.