{"id":240038,"date":"2026-05-06T04:34:00","date_gmt":"2026-05-06T08:34:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/06\/windows-phone-link-exploited-by-cloudz-rat-to-steal-credentials-and-otps\/"},"modified":"2026-05-06T04:45:08","modified_gmt":"2026-05-06T08:45:08","slug":"windows-phone-link-exploited-by-cloudz-rat-to-steal-credentials-and-otps","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/06\/windows-phone-link-exploited-by-cloudz-rat-to-steal-credentials-and-otps\/","title":{"rendered":"Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/windows-phone-link-exploited-by-cloudz.html\">Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/windows-phone-link-exploited-by-cloudz.html\">https:\/\/thehackernews.com\/2026\/05\/windows-phone-link-exploited-by-cloudz.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-06 04:34:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">May 06, 2026<\/span><\/span><span class=\"p-tags\">Endpoint Security \/ Threat Intelligence<\/span><\/p>\n<p>Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool (RAT) and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft.<\/p>\n<p>&#8220;According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims&#8217; credentials and potentially one-time passwords (OTPs),&#8221; Cisco Talos researchers Alex Karkins and Chetan Raghuprasad said in a Tuesday analysis.<\/p>\n<p>What makes the attack novel is that CloudZ uses the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application, permitting the plugin to monitor for active Phone Link processes and potentially intercept sensitive mobile data like SMS and one-time passwords (OTPs) without the need for deploying malware on the phone.\u00a0<\/p>\n<p>The findings demonstrate how legitimate cross-device syncing features can expose unintended attack pathways to credential theft and help bypass two-factor authentication. What&#8217;s more, it obviates the need to compromise the mobile device itself.<\/p>\n<p>The malware, per the cybersecurity company, has been put to use as part of an intrusion that&#8217;s been active since at least January 2026. The activity has not been attributed to any known threat actor or group.<\/p>\n<p>Built into Windows 10 and Windows 11, Phone Link offers a way for users to pair their computer with an Android device or iPhone over Wi-Fi and Bluetooth, allowing users to make or take phone calls, send messages, and dismiss notifications.<\/p>\n<p>Unknown threat actors have been observed attempting to leverage the application using CloudZ RAT and Pheno to confirm Phone Link activity on a victim environment and then access the SQLite database file used by the program to store the synchronized phone data.\u00a0<\/p>\n<p>The attack chain is said to have employed an as-yet-undetermined initial access method to obtain a foothold&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/windows-phone-link-exploited-by-cloudz.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs https:\/\/thehackernews.com\/2026\/05\/windows-phone-link-exploited-by-cloudz.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":240039,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjGxYFVfOUbXRWanB_1qyRHBYCgWirEtqd3EO06BrIjnLqrTEOoTnXclKQsujA4YCVfI8Q5IWuriVAlckls65vvV2Am5PCEB1s_HHoFxpA779oT1qbnNB0Q8dqLU3GGbwINtDDmp8Ge3bdxQJWab3toekaGDgi1FFJ73uNysl8wEnXfgk6W88b1qSJcu2gX\/s1600\/link-to-windows.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,57,34],"class_list":["post-240038","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-security","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240038"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=240038"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240038\/revisions"}],"predecessor-version":[{"id":240041,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240038\/revisions\/240041"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/240039"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=240038"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=240038"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=240038"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}