Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- Researchers have discovered a Trojan, Cloudz, that uses a plugin to intercept and steal sensitive information through Microsoft phone links.
- The campaign has been active since at least January 2026, and although the initial entry point is unclear, it still poses a threat to Microsoft-based cross-device syncing.
- Follow the practices below to protect yourself from CloudZ Trojan and similar malware.
Researchers at Cisco Talos have exposed the exploits of a remote access trojan (RAT) that can steal your credentials as soon as you launch the Microsoft Phone Link app to connect your phone to your PC.
Too: Changes are coming to Windows: Here’s how to get a glimpse of what’s coming next
Microsoft Phone Link: Where is it and why do you have it
Microsoft phone link There’s an app you might not know about, but it comes pre-installed on Windows 10 and 11. Formerly branded as Your Phone, this application allows users to connect their phone to their Windows PC via Bluetooth and Wi-Fi.
The app supports Android and iOS and can be used to answer calls, respond to text messages and receive notifications from your computer. On Android, you can also view and share your camera reel.
What is CloudZ and how does this attack work?
CloudZ is a modular remote access trojan (RAT), compiled as a .NET executable and equipped with a range of protections against analysis and reverse engineering, including obfuscation and detection by debuggers and profilers in its environment.
The malware loads its instructions into memory during execution, establishes a connection to a command-and-control (C2) server, and executes a PowerShell script to extract, download, and exfiltrate data on the attacker-controlled C2 server.
When researcher While no specific methods of initial intrusion have been documented, if Cloudz infected Windows PCs, it may have spied on these systems using the newly discovered “Phenno” plugin. Pheno CloudZ contains a malicious module designed to continuously monitor and scan active phone link processes.
Once CloudZ is alerted to an active connection through Pheno’s monitoring capabilities, the Trojan attempts to hijack and intercept the Phone Link application’s SQLite database file. If successful, Cloudz can steal sensitive information while traveling from a smartphone to a PC, including credentials, SMS messages, and potentially one-time passcodes (OTPs).
This Trojan misuses legitimate Windows functions rather than exploiting an application’s vulnerability, which is a common practice among many surveillance- and data-theft-focused malware strains.
why should I care?
This research is a reminder that malware doesn’t need to infect your Android or iOS smartphone to compromise your handset’s information. Any type of connection – whether it’s Wi-Fi, Bluetooth, or meshed links between your home PC and other devices – comes with risks, especially at a time when cybercriminals are constantly developing new ways to steal our information, spy on us, or damage our systems.
The latest research from Cisco Talos highlights how cross-device syncing attacks can bypass modern security controls, such as two-factor authentication (2FA) and OTP delivery. Just because you have both devices doesn’t mean they’re both secure or trustworthy.
how to stay safe
There are certain steps in this attack chain that we can follow, and at each step, there are security practices and methods that we can use to reduce the risk of becoming a victim of Cloudz and similar Trojans.
While Cisco Talos researchers aren’t sure about the initial attack vector, when the malware arrived on Windows PCs, it executed as a fake ScreenConnect application update, which then deployed the RAT.
It gives us several signals to stay safe:
- initial access point: Trojans are often spread disguised as legitimate software. They can be downloaded from social media, via phishing links, or found on warez websites. You should only ever download software from official sources and even then, enable real-time file scanning through your antivirus program or app to detect suspicious files.
- pirate content: Trojans and related malware are also often included in bundles of pirated software. Unless it’s licensed, you’re putting your PC at risk, and this type of RAT can remain hidden unknown for a long time before being triggered on your system and stealing your data.
You should also be aware of the risks posed by PC-to-phone bridges. They are certainly useful features, but we need to keep each ‘area’ clean and free of infection.
- cross contamination: If your PC or smartphone is infected with malware, it can move from one device to another without your knowledge. Trojans and worms can often spread across networks and systems, so running frequent malware and antivirus scans can help keep each machine clean.
- USB: Another security tip is to never connect your machine to any unknown or untrusted devices – including smartphones, tablets, and USB storage devices.
Too: I tried this free Windows cleanup tool to see if it would speed up my PC – and it worked
