Advisories 6 May 2026 / 0 Comments

Cloudz RAT "Pheno" Plugin Hijacking Windows Phone Link to Steal OTPs and Credentials

Scope: Microsoft Windows Phone Link (Windows 10 and 11)

Severity: High

A previously undocumented Cloudz RAT plugin named "Pheno," discovered by Cisco Talos and active since at least January 2026, abuses the Microsoft Phone Link PC-to-phone bridge to silently intercept SMS messages, one-time passwords, and credentials by accessing Phone Link's local SQLite database — without requiring any malware on the victim's mobile device. The attack chain is initiated via a trojanized ConnectWise ScreenConnect executable, with a PowerShell-created scheduled task maintaining persistence on the compromised Windows host. Organizations should restrict or disable Phone Link in enterprise environments, audit scheduled tasks for suspicious PowerShell or .NET loader activity, enforce application allowlisting via AppLocker or WDAC, and migrate from SMS-based OTP to authenticator app MFA.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

Cloudz RAT "Pheno" Plugin Hijacking Windows Phone Link to Steal OTPs and Credentials

PAN-OS User-ID Authentication Portal Buffer Overflow Zero-Day Under Active Exploitation (CVE-2026-0300)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

Cloudz RAT "Pheno" Plugin Hijacking Windows Phone Link to Steal OTPs and Credentials

RELATED ADVISORIES

PAN-OS User-ID Authentication Portal Buffer Overflow Zero-Day Under Active Exploitation (CVE-2026-0300)

Recent Advisories

Categories