New Infostealer Dubbed ‘Pheno’ Hijacks Windows’ Phone Link App to Steal MFA OTPs

Researchers documented an active campaign (since at least Jan 2026) that deploys a modular .NET RAT called CloudZ together with a plugin named Pheno to steal credentials and intercept SMS/OTP content by abusing Microsoft Phone Link on enterprise-managed Windows endpoints. The attackers use a fake ScreenConnect update to drop a Rust loader and .NET loader that install CloudZ, establish persistence, perform sandbox checks, and load Pheno which reads the Phone Link SQLite database to harvest messages and authenticator notifications—thereby bypassing protections focused on mobile devices.