CloudZ Malware Exploits Microsoft Phone Link to Steal SMS and OTPs from Windows PCs

A new cybersecurity threat called CloudZ malware has recently come into focus, and it’s quite concerning. Researchers from Cisco Talos reported that this malware is being used to steal sensitive information like SMS messages and one-time passwords (OTPs). What makes this attack different is that it doesn’t directly hack your phone. Instead, it targets your Windows computer and takes advantage of a trusted app Microsoft Phone Link.

Microsoft Phone Link is a legitimate application that allows users to connect their smartphones to their Windows PCs. Through this app, people can easily read messages, check notifications, and even manage calls from their computer. Normally, this is meant to make life easier. But in this case, attackers are misusing this feature to quietly access private data.

The CloudZ malware works by first infecting a Windows system. Once inside, it checks if Phone Link is active on that system. If the connection between the phone and PC is available, the malware uses a special plugin known as Pheno to extract data. This includes SMS messages and OTP codes that are synced from the phone to the computer. The key point here is that the attacker never needs to access the phone directly everything is taken from the PC itself.

Technically, CloudZ is a type of Remote Access Trojan (RAT). This means it allows attackers to control the infected system remotely. It can access stored data, run commands, and even download additional malicious tools. In this case, it specifically looks into local database files (like SQLite files) where Phone Link stores synced data. From there, it extracts useful information such as verification codes.

This attack becomes very dangerous because OTPs are widely used for security. Banks, social media platforms, and many online services rely on OTPs as a second layer of protection. If a hacker manages to get these codes, they can bypass authentication systems and gain unauthorized access to accounts. This basically weakens multi-factor authentication when SMS is involved.

The infection usually starts through deceptive methods. Reports suggest that attackers may use fake software updates or malicious files to install CloudZ on a system. In some cases, it is linked with fake updates related to tools like ScreenConnect. Once the malware is installed, it connects to attacker-controlled servers and starts its operations quietly in the background.

Another reason why CloudZ is considered advanced is because of how it avoids detection. It can run in system memory instead of leaving clear traces on disk. It also uses techniques like anti-debugging and encrypted communication to stay hidden from security tools. Apart from stealing SMS and OTPs, it may also collect browser data and perform other remote activities.

To stay safe from such attacks, users need to be cautious. It is better to avoid downloading unknown files or updates from untrusted sources. If Phone Link is not required, disabling it can reduce risk. Also, relying only on SMS-based OTPs is no longer the safest option. Security experts recommend using authenticator apps or hardware-based security keys for better protection.

Overall, the CloudZ malware highlights how attackers are evolving. Instead of targeting devices directly, they are now exploiting trusted systems and applications. This makes the attack more silent and harder to detect, which is why awareness becomes extremely important.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news