Trojan abuses Microsoft Phone Link app to steal your passwords

Getty

Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

• Researchers have discovered a Trojan, CloudZ, that uses a plugin to intercept and steal sensitive information through Microsoft Phone Link.
• The campaign has been active since at least January 2026, and while the initial entry point isn't clear, it is still a threat to Microsoft-based cross-device syncing. 
• Follow the practices outlined below to protect yourself from the CloudZ Trojan and similar malware.

Cisco Talos researchers have revealed the exploits of a Remote Access Trojan (RAT) that can steal your credentials the moment you launch the Microsoft Phone Link app to connect your phone to your PC.

Also: Windows changes are coming: Here's how to get a sneak peek at what's next

Microsoft Phone Link: where it is and why you have it 

Microsoft Phone Link is an app you may not be aware of, but it comes preinstalled on Windows 10 and 11. Formerly branded as Your Phone, this application allows users to connect their phone to their Windows PC via Bluetooth and Wi-Fi. 

The app supports Android and iOS and can be used to answer calls, reply to text messages from your computer, and receive notifications. On Android, you can also view and share your camera reel. 

What is CloudZ, and how does this attack work?

CloudZ is a modular Remote Access Trojan (RAT), compiled as a .NET executable and equipped with a range of defenses against analysis and reverse engineering, including obfuscation and the detection of debuggers and profilers in its environment. 

The malware loads its instructions into memory during execution, establishes a connection to a command-and-control (C2) server, and executes PowerShell scripts to extract, download, and exfiltrate data to the attacker-controlled C2 server. 

While the researchers did not document any specific methods of initial intrusion, if CloudZ has infected a Windows PC, it can spy on these systems using the newly-discovered "Pheno" plugin. Pheno is a malicious module in CloudZ designed to continuously monitor and scan for active Phone Link processes. 

Once CloudZ is alerted to an active connection through Pheno's surveillance capabilities, the Trojan attempts to hijack and intercept the Phone Link application's SQLite database file. If successful, CloudZ can steal sensitive information as it passes from the smartphone to the PC, including credentials, SMS messages, and potentially one-time passcodes (OTPs). 

This Trojan abuses legitimate Windows functions rather than exploiting an application vulnerability, a common practice among many surveillance- and data-theft-focused malware strains. 

Why should I care?

This research is a reminder that malware doesn't need to infect your Android or iOS smartphone to compromise the information on your handset. Any form of connection -- whether it is Wi-Fi, Bluetooth, or a link forged between your home PC and other devices -- comes with risk, especially at a time when cybercriminals are constantly developing new methods to steal our information, spy on us, or damage our systems.

Cisco Talos' latest research highlights how cross-device syncing attacks can occur to bypass modern security controls, such as two-factor authentication (2FA) and OTP delivery. Just because you own both devices doesn't mean they are both safe or trustworthy.

How to stay protected

There are steps in this attack chain that we can follow, and at each stage, there are security practices and methods we can use to reduce our risk of becoming a victim of CloudZ and similar Trojans. 

While Cisco Talos researchers aren't sure of the initial attack vector, when the malware landed on a Windows PC, it executed as a fake ScreenConnect application update, which then deployed the RAT. 

This gives us several pointers to staying protected:

• Initial access point: Trojans are often spread disguised as legitimate software. They may be downloaded from social media, via phishing links, or found on warez websites. You should only ever download software from official sources, and even then, enable real-time file scanning through your antivirus program or app to detect suspicious files. 
• Pirate content: Trojans and associated malware are also often included in bundles of pirated software. Unless it's licensed, you are putting your PC at risk, and these kinds of RATs could lurk on your system undetected for a long time before they trigger and steal your data. 

You should also be aware of the risks posed by PC-to-phone bridges. They are useful features, absolutely, but we need to keep each 'zone' clean and free from infection. 

• Cross-contamination: If either your PC or smartphone is infected by malware, this could leap from device to device without your knowledge. Trojans and worms can often spread across networks and systems, so running frequent malware and antivirus scans can keep each machine clean. 
• USB: A further security tip is to never connect your machine to an unknown or untrusted device -- including smartphones, tablets, and USB storage devices. 

Also: I tried this free Windows cleanup tool to see if it'd speed up my PC - and it worked