Ethical Hacking News
CloudZ malware has been discovered to exploit Microsoft Phone Link for SMS and OTP stealing, compromising sensitive information from mobile devices without needing to compromise the device. Users are advised to avoid SMS-based OTP services and use authenticator apps that do not require push notifications, and to switch to phishing-resistant solutions such as hardware keys.
CloudZ malware exploits Microsoft Phone Link to steal sensitive information from mobile devices. The vulnerability allows attackers to intercept SMS and one-time passwords (OTPs) without compromising the device. The attack vector is believed to start with a fake ScreenConnect update that drops a Rust-based loader, which then installs CloudZ RAT and establishes persistence. Users are advised to avoid SMS-based OTP services and use authenticator apps that do not require push notifications. Cisco Talos has published indicators of compromise to help defenders protect their environments.
The world of cybersecurity is constantly evolving, with new threats emerging every day. A recent discovery has shed light on a malicious software (malware) called CloudZ that exploits Microsoft Phone Link to steal sensitive information from mobile devices. In this article, we will delve into the details of CloudZ, its implications, and what users can do to protect themselves.
Microsoft Phone Link is an application that comes pre-installed on Windows 10 and 11, allowing users to make and receive calls, respond to texts, and view notifications from their mobile devices (Android and iOS). However, a recent discovery by Cisco Talos researchers has revealed that CloudZ malware can hijack this connection to intercept sensitive messages delivered to the target's mobile phone without compromising the device.
The malicious plugin, known as Pheno, monitors for active Phone Link sessions and accesses its local SQLite database, which may contain SMS and one-time passwords (OTPs). This gives the attacker access to sensitive information without needing to compromise the mobile device. According to Cisco Talos researchers, "With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application's SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages."
This vulnerability was discovered in an intrusion that was active since at least January. Researchers believe the threat actor's purpose was to steal credentials and temporary passcodes. The attack vector is not yet known, but it is believed to start when the victim executes a fake ScreenConnect update, which drops a Rust-based loader. This is followed by the deployment of a .NET loader, which installs CloudZ RAT and establishes persistence via a scheduled task.
The .NET loader also includes anti-analysis checks, such as time-based sandbox evasion steps, checks for analysis tools like Wireshark, Fiddler, Procmon, and Sysmon, and checks for VM- and sandbox-related strings. This makes it challenging to detect the malware using traditional signature-based detection methods.
To defend against this type of attack, users should avoid SMS-based OTP services and use authenticator apps that do not require push notifications that could be intercepted. For more sensitive information, it is recommended to switch to using phishing-resistant solutions such as hardware keys.
Cisco Talos has published a set of indicators of compromise, including URLs, hashes for malicious components, domains, and IP addresses, which defenders can use to protect their environments.
In conclusion, the discovery of CloudZ malware exploiting Microsoft Phone Link highlights the importance of staying informed about emerging threats. By understanding how these attacks work and taking proactive measures to secure your devices and data, you can reduce the risk of falling victim to this type of attack.
CloudZ malware has been discovered to exploit Microsoft Phone Link for SMS and OTP stealing, compromising sensitive information from mobile devices without needing to compromise the device. Users are advised to avoid SMS-based OTP services and use authenticator apps that do not require push notifications, and to switch to phishing-resistant solutions such as hardware keys.
Related Information:
https://www.ethicalhackingnews.com/articles/CloudZ-Malware-Exploits-Microsoft-Phone-Link-for-SMS-and-OTP-Stealing-ehn.shtml
https://www.bleepingcomputer.com/news/security/cloudz-malware-abuses-microsoft-phone-link-to-steal-sms-and-otps/
https://cyberinsider.com/cloudz-malware-hijacks-microsoft-phone-link-to-intercept-sms-and-otps/
https://www.zdnet.com/article/trojan-abuses-microsoft-phone-link-app-to-steal-passwords/
https://blog.talosintelligence.com/cloudz-pheno-infostealer/
https://cyberalertica.com/cyber-threats/what-is-remote-access-trojan/
https://www.fortinet.com/resources/cyberglossary/remote-access-trojan
Published: Tue May 5 06:24:40 2026 by llama3.2 3B Q4_K_M
