Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesEndpoint SecurityMobile SecurityRemote WorkforceNewsAttacks Abuse Windows Phone Link to Steal Texts & Bypass 2FAIn hard-to-detect attacks, hackers are dropping the CloudZ RAT and a fresh plug-in, Pheno, to hijack the Windows-based bridge between PCs and smartphones.Elizabeth Montalbano,Contributing WriterMay 6, 20265 Min ReadSource: Mohd Izzuan Rosian via Alamy Stock PhotoAttackers are abusing a Microsoft Windows tool with an intent to spy on and steal SMS messages and one-time-passwords (OTPs) from mobile devices. In an ongoing threat campaign that started in January, they first compromise PCs, and then use malware to abuse a link to the devices to intercept and steal data, researchers have discovered.According to researchers from Cisco Talos, the attack shows a unique attack flow with the actors abusing a Microsoft Phone Link on a Windows PC to exploit the trust relationship the tool creates with smartphones. In a report published this week. Phone Link, which is preinstalled on Windows 10 and 11 and was previously called "Your Phone," is a built-in Windows app that syncs text messages, notifications, and calls between mobile devices and PCs."We found this attack slightly distinct, as the attacker is attempting to steal the sensitive information from mobile phones that are already paired with the Windows PC without deploying mobile malware," Cisco Talos researcher Chetan Raghuprasad tells Dark Reading. "We don't commonly see this connection leveraged in attacks."Related:ShinyHunters Claims Second Attack Against InstructureAttackers use a combination of the modular CloudZ remote access Trojan (RAT) and a new plug-in, Pheno, to hijack the bridge between Phone Link and devices. Pheno continuously scans for active Phone Link processes and can potentially intercept sensitive mobile data like SMS messages and two-factor authentication (2FA), all without actually deploying malware on the phone, according to the researchers."With confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application's SQLite database file … on the victim machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages," Raghuprasad and Cisco Talos's Alex Karkins wrote in the report.Phone Link's Cross-Device Sync AbusedThe findings demonstrate how cross-device syncing can create an unexpected path to credential theft without attackers ever manipulating the mobile device itself, Cisco Talos tells Dark Reading. By abusing a legitimate Windows functionality, attackers could gain a 2FA bypass capability — effectively eliminating an identity authentication step many users think keeps their devices secure. Microsoft did not immediately reply to Dark Reading's request for comment Wednesday on the attack.Cisco Talos learned from telemetry data that an intrusion they observed began with unknown initial access vector to the victim's environment, leading to the execution of a fake ScreenConnect app-update executable. This in turn executes an intermediate .NET loader executable, which subsequently deploys the modular CloudZ RAT on the victim’s machine. Related:Instructure Breach Exposes Schools' Vendor DependenceCloudZ includes capabilities for browser credential theft, shell command execution, screen recording, plug-in deployment, and file management. Upon execution, it decrypts its configuration data, establishes an encrypted socket connection to the command-and-control (C2) server, and enters its command dispatcher mode. "CloudZ facilitates the command-and-control (C2) commands to exfiltrate credentials from the victim machine browser data, and it downloads and implants a plug-in, which performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the reconnaissance data to an output file in a staging folder," the researchers wrote. "CloudZ reads back the Phone Link application data from the staging folder and sends it to the C2 server."The plug-in dropped by CloudZ in the attack is Pheno, malware that the researchers said they hadn't seen before. "Pheno is designed to detect if a user is currently syncing their mobile device to a Windows machine through the Phone Link application," according to the post. Related:Middle East Cyber Battle Field Broadens — Especially in UAEThe plug-in does this by focusing specifically on reconnaissance of Phone Link processes such as "YourPhone" and "PhoneExperienceHost." If an active relay session is detected, the malware flags the system as "Maybe connected," indicating the attackers may be able to monitor SMS traffic and OTP delivery.Mitigating & Avoiding 2FA Bypass AttacksSo far the researchers have not seen evidence that the attack vector has successfully exfiltrated data, Raghuprasad says. "Still, the staging URLs of Pastebin are active, indicating high likelihood that the attacks are ongoing," he notes.The attack is yet more evidence that 2FA is not a foolproof way to protect people's personal and business accounts from being compromised, especially when device users in this case may be completely unaware that anything suspicious is happening.In fact, recent research from Proofpoint recently found that attackers are finding myriad ways around multifactor authentication (MFA), particularly via phishing kits, and its activation doesn't ensure that an account won't be compromised. In the case of the Phone Link attack, to protect users against 2FA compromise, defenders can use methods of secondary authentication that don't rely on OTPs or SMS-based methods to eliminate the risk. Organizations using Windows PCs that have Phone Link pre-installed should determine if the app is really necessary for use by their employees and, if not, disable it to protect themselves from the attack, the researchers said.To understand if they've been targeted, organizations can update their behavioral detection engines to look for the execution of regasm.exe with unusual arguments and unauthorized schedule tasks, and also block the C2 server IP addresses associated with the attack — info that Cisco Talos has provided in the post, Raghuprasad says. Cisco Talos also posted indicators of compromise (IoCs) on a GitHub page and in the report, provided specific ClamAV signature and Snort Rules (SIDs) for detecting and blocking the threat.Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

This Dark Reading article details a novel attack vector targeting Windows Phone users, leveraging a vulnerability in Microsoft’s Phone Link application to steal SMS messages and two-factor authentication (2FA) codes. The primary threat actor utilizes a combination of the CloudZ remote access Trojan (RAT) and a newly developed plug-in named Pheno. Initially, the attackers compromise a Windows PC, subsequently abusing the trust relationship Phone Link establishes with smartphones. This allows them to intercept sensitive mobile data – including SMS messages and 2FA notifications – without deploying malware directly onto the phone.

Chetan Raghuprasad, a researcher at Cisco Talos, highlighted the distinct nature of this attack, noting that it differs from typical mobile malware deployment strategies. The attackers exploit Phone Link’s cross-device syncing functionality, creating an unexpected pathway for credential theft, bypassing traditional 2FA mechanisms. CloudZ, the RAT component, facilitates command-and-control (C2) operations, exfiltrating credentials and deploying the Pheno plug-in. This plug-in specifically monitors Phone Link activity, detecting active synchronization sessions and identifying potential interception opportunities. The report details CloudZ’s functionalities: browser credential theft, shell command execution, screen recording capabilities, and file management. The Pheno plug-in focuses on reconnaissance of Phone Link processes, flagging sessions as “Maybe connected” to indicate a potential risk.

The initial intrusion appears to begin with an unknown initial access vector, ultimately leading to the execution of a fake ScreenConnect app-update executable. This then deploys the intermediate .NET loader, followed by CloudZ. Cisco Talos provided Indicators of Compromise (IoCs), including ClamAV signatures and Snort Rules (SIDs), to aid in detection and blocking efforts. The attackers are currently utilizing Pastebin URLs for command-and-control, suggesting continued activity.

Elizabeth Montalbano emphasizes the seriousness of this attack, underlining that 2FA is not a foolproof security measure when vulnerable device sync applications are involved. She suggests mitigations including disabling Phone Link if not essential, utilizing secondary authentication methods that don't rely on SMS or OTPs, and employing behavioral detection to identify regasm.exe activity with unusual arguments or unauthorized tasks. Organizations should also block the identified C2 server IP addresses. Raghuprasad notes that while data exfiltration hasn’t been definitively confirmed, the ongoing activity on the Pastebin URLs suggests a high probability of exploitation. The report highlights a broader trend of attackers finding ways to circumvent multifactor authentication, particularly through phishing kits, emphasizing that account compromises can occur even with 2FA activation.