Trojan abuses Microsoft Phone Link app to steal your passwords

**Executive summary:** CloudZ is a modular .NET Remote Access Trojan active since at least January 2026 that uses a 'Pheno' plugin to monitor Microsoft Phone Link on Windows and attempt to hijack its SQLite database, enabling theft of credentials, SMS messages and potentially one-time passcodes; the malware employs obfuscation, anti-analysis checks, memory-only loading and PowerShell-based exfiltration and was observed deployed via a fake ScreenConnect update, highlighting the risk of cross-device syncing attacks and potential 2FA bypass.