By targeting the app, the new Windows malware is trying to steal SMS and OTP of the users. According to cyber security researchers, this attack is considered special because the smartphone is not directly hacked, but the phone’s messages and notifications are accessed through a Windows PC. This activity is said to be active from January 2026.
Cisco Talos New Report According to , a remote access tool named CloudZ and a new plugin named Pheno are being used in this entire attack. Together they try to access SMS, OTP and other authentication codes saved in the user’s computer.
Microsoft Phone Link, formerly known as “Your Phone,” is provided in Windows 10 and Windows 11. With its help, users can view SMS, call logs and notifications of their Android or iPhone directly on the computer. This data is synced via Wi-Fi and Bluetooth and saved in SQLite database files on the computer.
According to the report, the attackers took advantage of this system. The Pheno plugin continuously searches the system for processes that are associated with Phone Link, such as “YourPhone”, “PhoneExperienceHost” and “Link to Windows”. If an active Phone Link session is found, the malware marks the system as “Maybe connected” and then begins the data collection process.
According to Cisco Talos, the attack originated from a fake ScreenConnect update file. However, it is not yet clear how this file was delivered to the users. The report states that after this, the CloudZ malware was activated in the system through many different loaders and scripts.
According to researchers, many anti-analysis features are also provided in CloudZ. It tries to find security tools like Wireshark, Procmon and Sysmon in the system. Apart from this, it also tries to identify the ‘virtual machine environment’ and hide its activity.
The malware captures configuration data from attacker-controlled servers and Pastebin pages and uses different user-agent strings to mimic browser traffic. According to the report, it is not limited to just stealing OTP, but also supports features like screen recording and credentials theft.
Cyber security experts say that this attack can become a new threat to SMS-based multi-factor authentication. Now just keeping the phone safe will not be enough, because if a Windows computer gets infected, OTP and authentication codes can be stolen from there also.
