Overview
- Cisco Talos disclosed Tuesday that CloudZ now ships with a Pheno module that hijacks Microsoft Phone Link activity to grab SMS messages and one-time codes.
- Phone Link, preinstalled on Windows 10 and 11, syncs a phone’s texts and alerts into a local SQLite file on the PC, which lets thieves pull mobile secrets if the computer is compromised.
- In the cases reviewed, a fake ScreenConnect update ran a Rust loader, which launched a .NET loader that installed CloudZ and set a scheduled task for persistence.
- Researchers also saw browser data theft features, in-memory execution, anti-analysis checks for tools like Wireshark, and command-and-control traffic that rotates user agents.
- Talos published indicators of compromise and urged a shift away from SMS codes toward authenticator apps or hardware security keys to cut interception risk.