**Your phone never got hacked. Your PC did. And that's how they got your bank's OTP anyway.** Cisco Talos dropped a bombshell on May 5, 2026: a previously undocumented remote access trojan named **CloudZ** has been active since at least January, and it's using a trick nobody saw coming. Instead of infecting your smartphone to intercept SMS codes, it simply reads them from where Microsoft already synced them - your Windows PC. The technique is diabolically simple. And it works because millions of users have a legitimate Microsoft feature doing the attacker's recon for them. --- ## The Feature You Enabled Is the Feature They Abuse **Windows Phone Link** (formerly "Your Phone") ships built-in on Windows 10 and 11. It syncs your Android or iPhone to your PC over Wi-Fi and Bluetooth - notifications, calls, photos, and yes, **SMS messages**. It's genuinely useful. You reply to texts from your keyboard while working. Microsoft markets it as convenience. What Microsoft doesn't advertise: Phone Link stores all that synced data in a **SQLite database on your PC** - `PhoneExperiences-*.db` - sitting right there in your user profile, readable by any process with your permissions. CloudZ's custom **Pheno plugin** simply watches for the Phone Link process. When it detects an active PC-to-phone bridge, it reads that SQLite file directly. SMS-based OTPs. Banking codes. 2FA messages. Authenticator app notifications. All of it, exfiltrated without ever touching the phone. **The phone stays clean. The PC betrays it.** --- ## How CloudZ Gets In The infection chain Talos observed starts with a fake **ScreenConnect application update** - a Rust-compiled dropper with names like `systemupdates.exe` or `Windows-interactive-update.exe`. The Rust binary decrypts and drops a .NET loader disguised as a text file into `C:\ProgramData\Microsoft\windosDoc\`. That loader uses `regasm.exe` (a legitimate .NET framework tool) to run in-memory, then establishes persistence through a scheduled task named **SystemWindowsApis** that fires at startup with SYSTEM privileges. From there, CloudZ connects to its C2 server over an encrypted socket, receives commands, and downloads plugins on demand. The Pheno plugin is one of them. --- ## What Pheno Actually Does The plugin is lightweight and surgical: 1. **Scans** for active Phone Link processes 2. **Reads** the `PhoneExperiences-*.db` SQLite database from the PC 3. **Writes** reconnaissance data to a staging folder 4. **Returns** the data to CloudZ, which forwards it to C2 No code injection into Phone Link. No hooking. No exploits. It just reads a file that Microsoft created for user convenience. --- ## Why This Matters This attack redefines the threat model for 2FA. For years, security advice has been: "Use SMS-based 2FA, it's better than nothing, but if you're paranoid use an authenticator app or hardware key." CloudZ proves that **even the phone isn't the weak link anymore**. The weak link is the bridge between your phone and your PC - a bridge you probably enabled yourself for convenience. And CloudZ isn't some toy malware. It checks for debuggers and sandboxes. It runs dynamically in memory. It deletes its original binary from disk. This is professional-grade tradecraft hitting consumer-grade convenience features. --- ## The Bigger Picture This isn't an isolated incident. May 2026 has been a relentless month: - **PhantomRaven Wave 5** (Mend.io, April 26): 33 new malicious npm packages stealing dev credentials via remote dynamic dependencies - C2 still live - **Quasar Linux** (Trend Micro, May 5): A Linux implant with 7 persistence mechanisms, eBPF rootkit, and PAM backdoors targeting developer environments - **VECT Ransomware** (Check Point, May 5): A RaaS program that permanently destroys files above 128KB due to a fatal encryption bug - making it a wiper by accident - **Ollama Auto-Updater** (Striga/CERT Polska, May 5): Unpatched path traversal + missing signature check = persistent RCE via Windows Startup folder The theme? **Attackers are targeting the infrastructure between devices, not the devices themselves.** npm dependencies. AI assistant toolchains. PC-to-phone bridges. Auto-updaters. The seams in your digital life are where they're striking. --- ## What You Can Do 1. **Disconnect Phone Link if you don't actively use it.** Settings -> Bluetooth & devices -> Phone Link -> unlink your phone. If you need it, understand the tradeoff. 2. **Switch to app-based or hardware 2FA.** Authenticator apps (Aegis, 2FAS) that don't sync SMS. YubiKeys. Passkeys where supported. SMS was always the weakest link; now the bridge makes it weaker. 3. **Monitor for persistence.** Check Task Scheduler for suspicious tasks like "SystemWindowsApis." Look in `C:\ProgramData\Microsoft\` for oddly named folders. 4. **Don't run random "updates."** The Rust dropper Talos found masqueraded as a ScreenConnect update. If you didn't request an update, don't run it. --- ## IOCs to Watch For - **Files:** `systemupdates.exe`, `Windows-interactive-update.exe`, `update.txt`, `msupdate.txt` in `C:\ProgramData\Microsoft\windosDoc\` - **Scheduled task:** `SystemWindowsApis` - **Process:** `regasm.exe` with command line containing `update.txt` - **C2 infrastructure:** Calm-wildflower-1349[.]hellohiall[.]workers[.]dev (staging server observed by Talos) --- ## Sources - [Cisco Talos: CloudZ RAT and Pheno Plugin](https://blog.talosintelligence.com/cloudz-pheno-infostealer/) - [Microsoft: Phone Link Overview](https://support.microsoft.com/en-us/topic/phone-link-requirements-and-setup-cd2a1ee1-90a2-45a5-9522-e3a6f35c8a2f) **Bottom line:** The future of malware isn't infecting your phone. It's sitting on your PC, reading what your phone already told it.