Cisco Talos observed a CloudZ RAT with a Pheno plugin exploiting Microsoft Phone Link's SQLite database to intercept SMS-based OTPs and authenticator notifications. The malware monitors active PC-to-phone bridges established by Phone Link, accessing synchronized data without deploying malware on the mobile device.
