Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs

Cybersecurity researchers have disclosed an intrusion campaign leveraging CloudZ, a remote access tool, paired with a previously undocumented plugin called Pheno. The attack chain exploited Windows Phone Link to establish initial access and facilitate credential theft operations.

CloudZ RAT operates as a full-featured remote access tool, enabling attackers to execute commands, capture keystrokes, and maintain persistent control over compromised systems. The Pheno plugin extends this capability by targeting sensitive authentication data. Researchers confirmed the malware actively harvested credentials and one-time passwords, a combination that grants attackers immediate access to victim accounts even when multi-factor authentication protections exist.

The attack surface widens considerably when OTP theft succeeds. Unlike static passwords, one-time passwords expire rapidly, yet their interception during active sessions bypasses time-based authentication entirely. This means attackers can authenticate as legitimate users within narrow time windows, potentially evading detection systems that flag unusual login patterns.

Windows Phone Link, Microsoft's native companion application for synchronizing Android devices with Windows systems, became the entry vector. This represents a supply chain vulnerability in legitimate productivity software. The attack demonstrates how benign system features can transform into persistent footholds when chained with specialized malware.

Organizations face dual exposure here. First, endpoint security must defend against RAT variants and custom plugins that bypass traditional signature detection. Second, credential management hygiene matters enormously. Systems storing credentials insecurely or failing to rotate them after suspicious activity create extended risk windows. OTP implementations using SMS or email delivery remain vulnerable to interception during active sessions, though authenticator app-based OTPs offer slightly stronger resistance.

No immediate patch status emerged from available reporting, though users should assume Windows Phone Link installations require heightened scrutiny. Network defenders should monitor for unusual Phone Link activity paired with unexpected credential validation attempts. The Pheno plugin's custom nature suggests targeted reconnaissance