Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- The CloudZ Trojan steals data through Microsoft Phone Link.
- The campaign has been active since at least January 2026.
- Follow our practices to protect yourself from the CloudZ Trojan.
Cisco Talos researchers have revealed the exploits of a Remote Access Trojan (RAT) that can steal your credentials the moment you launch the Microsoft Phone Link app to connect your phone to your PC.
What is Microsoft Phone Link?
Microsoft Phone Link is an app you may not be aware of, but it comes preinstalled on Windows 10 and 11. Formerly branded as Your Phone, this application allows users to connect their phone to a Windows PC via Bluetooth and Wi-Fi.
Also: Windows changes are coming: Here’s how to get a sneak peek at what’s next
The app supports Android and iOS and can be used to answer calls, reply to text messages from your computer, and receive notifications. On Android, you can also view and share your camera reel.
What is CloudZ?
CloudZ is a modular Remote Access Trojan (RAT), compiled as a .NET executable and equipped with a range of defenses against analysis and reverse engineering, including obfuscation and the detection of debuggers and profilers in its environment.
The malware loads its instructions into memory during execution, establishes a connection to a command-and-control (C2) server, and executes PowerShell scripts to extract, download, and exfiltrate data to the attacker-controlled C2 server.
While the researchers did not document any specific methods of initial intrusion, if CloudZ has infected a Windows PC, the Trojan can spy on these systems using the newly discovered “Pheno” plugin. Pheno is a malicious module in CloudZ that’s designed to monitor and scan for active Phone Link processes.
Also: Nearly half of cybersecurity pros want to quit – here’s why
Once CloudZ is alerted to an active connection through Pheno’s surveillance capabilities, the Trojan attempts to hijack and intercept the Phone Link application’s SQLite database file. If successful, CloudZ can steal sensitive information as it passes from the smartphone to the PC, including credentials, SMS messages, and potentially one-time passcodes (OTPs).
This Trojan abuses legitimate Windows functions rather than exploiting an application vulnerability, a common practice among many surveillance- and data-theft-focused malware strains.
Why should I care?
This research is a reminder that malware doesn’t need to infect your Android or iOS smartphone to compromise the information on your handset. Any form of connection, whether Wi-Fi, Bluetooth, or a link forged between your home PC and other devices, comes with risk, especially at a time when cybercriminals are constantly developing new methods to steal our information, spy on us, or damage our systems.
Cisco Talos’ latest research highlights how cross-device syncing attacks can occur to bypass modern security controls, such as two-factor authentication (2FA) and OTP delivery. Just because you own both devices doesn’t mean they are both safe or trustworthy.
How to stay protected
There are steps in this attack chain that we can follow, and at each stage, there are security practices and methods we can use to reduce our risk of becoming a victim of CloudZ and similar threats.
Also: I tried this free Windows cleanup tool to see if it’d speed up my PC – and it worked
While Cisco Talos researchers aren’t sure of the initial attack vector, when the malware landed on a Windows PC, it executed as a fake ScreenConnect application update, which then deployed the RAT.
This approach gives us several pointers to staying protected:
- Initial access point: Trojans are often spread disguised as legitimate software. They may be downloaded from social media, via phishing links, or found on warez websites. You should only ever download software from official sources, and even then, enable real-time file scanning through your antivirus program or app to detect suspicious files.
- Pirate content: Trojans and associated malware are also often included in bundles of pirated software. Unless the software is licensed, you are putting your PC at risk, and these kinds of RATs could lurk on your system undetected for a long time before they trigger and steal your data.
You should also be aware of the risks posed by PC-to-phone bridges. These bridges are useful features, absolutely, but we need to keep each ‘zone’ clean and free from infection:
- Cross-contamination: If either your PC or smartphone is infected with malware, it could leap from device to device without your knowledge. Trojans and worms can often spread across networks and systems, so running frequent malware and antivirus scans can keep each machine clean.
- USB: A further security tip is to never connect your machine to an unknown or untrusted device — including smartphones, tablets, and USB storage devices.
