A Windows malware toolkit has been observed stealing SMS messages and one-time passwords (OTPs) from victim machines by hijacking Microsoft's Phone Link application, sidestepping the need to directly compromise a target's mobile device. The activity has been ongoing since at least January 2026, according to new analysis from Cisco Talos researchers. At the heart of the operation are a remote access tool (RAT) called CloudZ and a previously undocumented plugin named Pheno. The tools work together to harvest credentials and intercept authentication codes synced from a paired smartphone. Microsoft Phone Link, formerly known as Your Phone, is built into Windows 10 and 11 and mirrors smartphone notifications, SMS messages and call logs onto the desktop over Wi-Fi and Bluetooth. Synchronized data is written to local SQLite database files on the PC, including one named PhoneExperiences-*.db. Cisco Talos said this design allowed attackers to capture mobile content from the endpoint without ever touching the phone. The Pheno plugin continuously scans running processes for keywords associated with Phone Link, such as YourPhone, PhoneExperienceHost and Link to Windows. When a match is found, it logs the process details to staging folders and then checks the output for the string "proxy", which indicates the local relay used by an active Phone Link session. If a live session is confirmed, Pheno tags the system as "Maybe connected", flagging it for follow-on data collection by the operator. Read more on SMS interception threats: New SMS Stealer Malware Targets Over 600 Global Brands The observed infection chain began with the execution of a fake ScreenConnect update, the initial access vector for which remains unknown at the time of writing.