Cofense Intelligence reports a strategic shift in phishing operations toward platform-aware delivery, where threat actors fingerprint victim devices via browser User-Agent strings and deliver OS-specific payloads from a single landing page. Windows users receive legitimate remote access tools like ConnectWise RAT or Itarian RAT repurposed as malware, while MacOS and Android users are redirected to credential phishing pages. The abuse of legitimate RATs evades signature-based detection, and platform-siloed security tools fail to correlate the campaign across operating systems, leaving organizations with an incomplete picture of the intrusion scope.