The Platform You Trust Is the Platform They Target
Cofense Intelligence reports a strategic shift in phishing operations toward platform-aware delivery, where threat actors fingerprint victim devices via browser User-Agent strings and deliver OS-specific payloads from a single landing page. Windows users receive legitimate remote access tools like ConnectWise RAT or Itarian RAT repurposed as malware, while MacOS and Android users are redirected to credential phishing pages. The abuse of legitimate RATs evades signature-based detection, and platform-siloed security tools fail to correlate the campaign across operating systems, leaving organizations with an incomplete picture of the intrusion scope.
- emailfrontdesk[.]mach[@]gmail[.]comSender email address used in a modern phishing campaign targeting a veterinary company, containing an embedded URL to a platform-aware phishing site (ATR 411478).
- filenameGoogleMeet_Ti.msiMalicious MSI installer downloaded from the phishing landing page w0rkplace.de, spoofing Google Meet to deliver RAT payload to Windows users.
- filenametheattorneycasefileeternalblackdoom.TarArchive attachment delivered via traditional phishing email containing a script that executes Ave_Maria Stealer (ATR 389255).
Detection / Hunteropenrouter
What Happened
Cybercriminals are changing how they run phishing attacks. Instead of sending the same malicious email to everyone, they now build phishing pages that detect what kind of device the victim is using (Windows, Mac, Android, or iPhone) and then deliver a different attack depending on the device. A Windows user might get a remote access tool that lets the attacker control their computer, while a Mac or phone user gets a fake login page to steal their password. The criminals profit either way. This matters because most security tools only monitor one type of device at a time, so a single attack campaign looks like three small, unrelated incidents instead of one big one. Organizations should ensure their security monitoring covers all device types and trains employees to recognize unexpected remote access software, even if it looks like a legitimate IT tool.
Key Takeaways
- Threat actors are adopting platform-aware phishing that fingerprints victim devices via browser User-Agent and delivers OS-specific payloads (RATs for Windows, credential phishing for MacOS/Android) from the same landing page.
- Legitimate remote access tools like ConnectWise RAT and Itarian RAT are being repurposed as malware, evading signature-based defenses because they are recognized as trusted applications.
- Platform-centric security architectures fail to correlate a single campaign across Windows, MacOS, and mobile, causing defenders to see three unrelated low-priority alerts instead of one coordinated intrusion.
- Multi-platform kits use open-source fingerprinting JavaScript to collect browser type, OS, language, timezone, screen size, and geolocation before delivering tailored content.
- Initial Access Brokers monetize compromised access through stolen credentials or delivered RATs, establishing persistence and selling access—commonly leading to ransomware.
Affected Systems
- Windows
- MacOS
- Android
- iOS
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Phishing email with targeted narrative contains embedded link or archive attachment directing victim to attacker-controlled landing page.
- Fingerprinting: Landing page executes JavaScript to collect browser User-Agent, OS type, language, timezone, screen dimensions, and geolocation to identify victim platform.
- Decision Point: Based on fingerprint results, the kit delivers platform-specific content—Windows users receive RAT installers while MacOS/Android users are redirected to credential phishing pages.
- Execution (Windows): RAT installer (e.g., GoogleMeet_Ti.msi) executes and installs legitimate remote access tools such as ConnectWise RAT or Itarian RAT, which may further fingerprint the machine and deliver additional payloads.
- Credential Theft (MacOS/Android): Victim is presented with a spoofed credential harvesting page impersonating brands like Google, Adobe, or Microsoft to capture email addresses and passwords.
- Monetization: Stolen credentials or RAT access is sold by Initial Access Brokers, potentially leading to ransomware deployment on enterprise networks.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide any detection rules, queries, or signatures. It references Cofense Active Threat Reports (ATRs) which contain campaign-level IOCs and indicators, but no rule content is included in the blog post itself.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | EDR tools on Windows may detect RAT installation and execution, but legitimate RATs like ConnectWise are often allowlisted or unrecognized as malicious. MacOS and Android endpoints frequently lack EDR coverage entirely, creating blind spots for credential phishing and platform-specific payload delivery. |
| Network Visibility | Medium | Network monitoring can capture redirect chains and connections to phishing landing pages, but TLS encryption and the use of legitimate RAT communication channels make it difficult to distinguish malicious from benign traffic. Cross-platform correlation of network activity is rarely implemented. |
| Detection Difficulty | Hard | The core challenge is that a single campaign delivers different payloads per OS, so no single platform's telemetry tells the full story. Legitimate RATs evade signature-based detection. Correlating activity across Windows, MacOS, and mobile requires integrated telemetry pipelines that most organizations do not have. |
Required Log Sources
- Web proxy logs
- DNS resolution logs
- Email gateway logs
- EDR telemetry (Windows/MacOS)
- MDM logs (mobile)
- Proxy SSL inspection logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unexpected installations of legitimate remote access software such as ConnectWise or Itarian on endpoints where these tools are not part of the approved software baseline. | EDR process execution events, software inventory logs, MSI installation events | Execution | Medium — legitimate IT teams may use these tools; requires baseline comparison to identify anomalies. |
| Consider hunting for web traffic to landing pages that return different content based on User-Agent headers, which may indicate platform-aware phishing kits. | Web proxy logs with User-Agent strings, HTTP response body analysis | Initial Access | Medium — some legitimate websites serve different content per platform; focus on newly observed domains and suspicious URL patterns. |
| Consider hunting for credential submissions to newly registered or low-reputation domains that mimic known brands (Google, DocuSign, Adobe, Zoom, Microsoft Teams). | Web proxy logs, DNS logs, SSL/TLS certificate logs | Credential Access | Low — brand impersonation combined with new domains is a strong indicator of phishing. |
| Consider hunting for JavaScript execution on landing pages that collects navigator and screen properties, which may indicate browser fingerprinting for payload selection. | EDR browser script execution logs, web proxy response body inspection | Reconnaissance | High — fingerprinting scripts are used by many legitimate analytics and CDN platforms. |
Control Gaps
- Signature-based AV and EDR will not flag legitimate remote access tools like ConnectWise RAT as malicious, even when installed via phishing.
- Platform-siloed monitoring tools cannot correlate a single phishing campaign across Windows, MacOS, and mobile endpoints.
- Mobile device management platforms typically do not share session or identity data with network monitoring or EDR, preventing cross-platform attribution.
- Credential phishing on MacOS and mobile devices often occurs outside corporate network infrastructure, making it invisible to on-premise security controls.
- Alert thresholds set independently per OS may not trigger for any single platform even when the combined campaign impact is significant.
Key Behavioral Indicators
- Unexpected presence of ConnectWise RAT, Itarian RAT, or similar legitimate remote access tools on endpoints where they are not part of the approved software baseline.
- MSI or executable files with brand-spoofing names (e.g., GoogleMeet_Ti.msi) downloaded from non-vendor domains.
- Email links redirecting through multiple hops before reaching a landing page that serves different content based on User-Agent.
- Credential submission events to domains that do not match the spoofed brand's legitimate infrastructure.
- Archive attachments with unusual names delivered via email containing script-based loaders.
False Positive Assessment
- Medium — The primary detection challenge is that legitimate remote access tools like ConnectWise are used by IT departments, making it difficult to distinguish authorized from malicious installations without contextual baselines. Browser fingerprinting scripts are also used by many legitimate websites, reducing the specificity of network-based detection.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the identified malicious URL (w0rkplace.de/googlemeett/) and associated domains at your web proxy and DNS filtering layers.
- Consider searching endpoint telemetry for the presence of GoogleMeet_Ti.msi or similar brand-spoofing installer files downloaded from non-vendor domains.
- Evaluate whether any endpoints in your environment have unexpected installations of ConnectWise RAT, Itarian RAT, or Ninite Loader, particularly on machines not managed by your IT department.
Infrastructure Hardening
- Consider implementing cross-platform log aggregation that correlates phishing campaign indicators across Windows, MacOS, and mobile endpoints into a single campaign view.
- Evaluate whether your web proxy can inspect and flag landing pages that serve different content based on User-Agent headers, as this is a hallmark of platform-aware phishing kits.
- If supported by your email gateway, consider adding rules to flag emails containing embedded links to newly registered domains or domains with suspicious URL structures mimicking known brands.
- Consider implementing SSL/TLS inspection for web traffic to enable visibility into redirect chains and payload delivery from phishing landing pages.
User Protection
- Consider extending EDR or endpoint monitoring coverage to MacOS and Android devices, not just Windows endpoints.
- Evaluate whether your mobile device management platform can detect and block credential phishing pages on enrolled devices.
- Consider maintaining an approved software baseline that includes legitimate remote access tools, so unexpected installations can be flagged as anomalies.
Security Awareness
- Consider incorporating training on the abuse of legitimate remote access tools into existing phishing awareness programs, emphasizing that trusted software can be used maliciously.
- Consider educating employees that phishing attacks now adapt to their device type, and that Mac and mobile users are no longer lower-risk targets.
- If applicable, encourage employees to report any unexpected remote access software installations to the security team, even if the software appears legitimate.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1592 - Gather Victim Host Information
- T1219 - Remote Access Software
- T1556 - Modify Authentication Process