Cisco Talos identified an intrusion campaign utilizing the CloudZ RAT and a novel plugin named Pheno to intercept SMS and OTP messages. The malware abuses the Microsoft Phone Link application's PC-to-phone bridge, allowing attackers to steal sensitive authentication data from local SQLite databases without deploying malware directly to the victim's mobile device.