Windows Malware Turns PCs Into OTP Theft Gateways, Phone Link Under Cyber Attack
A new cybersecurity threat revealed by Cisco Talos shows attackers exploiting Windows Phone Link to steal SMS and OTP codes through hidden malware tools and remote access systems, raising serious concerns about digital authentication safety worldwide
A growing cybersecurity concern is emerging from an unexpected angle, where Windows computers are now being used as a gateway to steal sensitive SMS messages and OTP codes. Instead of directly targeting smartphones, attackers are silently exploiting the connection between phones and PCs, making the threat harder to detect and far more dangerous for everyday users.
At the center of this attack is Microsoft Phone Link, a feature built into Windows 10 and Windows 11 that allows users to sync messages, calls, and notifications from their Android or iPhone to a computer. While the feature is designed for convenience, security researchers now warn that it can become an entry point for malicious activity when compromised.
According to a detailed report from Cisco Talos, attackers have been using a combination of a remote access tool called CloudZ and a plugin named Pheno. These tools work together to quietly scan Windows systems for Phone Link activity and extract sensitive data such as SMS messages, OTPs, and authentication codes stored in the systemβs local database files.
The attack does not rely on breaking into the phone itself. Instead, it focuses on detecting active Phone Link sessions on the computer. The malware specifically searches for processes like YourPhone, PhoneExperienceHost, and Link to Windows. Once it confirms a connection, it marks the system as potentially linked and begins collecting information in the background without alerting the user.
Interestingly, the infection reportedly began through a fake software update file disguised as ScreenConnect. Security experts have not yet confirmed how this file was distributed, but once inside the system, multiple scripts and loaders activated the CloudZ malware and established control over the infected device.
What makes CloudZ particularly concerning is its ability to avoid detection. It actively scans for security tools such as Wireshark, Sysmon, and Procmon, attempting to identify whether it is being monitored. It can also detect virtual machine environments and adjust its behavior to stay hidden from researchers and antivirus systems.
The malware communicates with attacker-controlled servers and even pulls configuration data from platforms like Pastebin. It also mimics normal web traffic by using varied user agent strings, making its activity appear like regular browsing behavior rather than malicious communication.
Beyond OTP theft, the toolset is capable of more aggressive actions such as screen recording and credential harvesting. This expands the risk far beyond just message interception and raises concerns about full device compromise if the system is infected.
Cybersecurity experts say this attack highlights a serious weakness in SMS-based authentication systems. If a Windows PC is compromised, attackers may not need access to the phone at all. Instead, they can quietly intercept OTPs and sensitive messages directly from the synced desktop environment, bypassing traditional security expectations and putting users at risk even when their phones remain secure.
