Crafty Phishing Campaigns Auto-Adapt to Victim’s Device, OS

Phishing Campaigns Get Smarter, Auto-Adapt to Victim’s Device and OS

Threat actors have upped their phishing game by creating campaigns that can automatically adapt to a target’s device and operating system. This sophisticated approach has significantly increased the chances of successful attacks and made it more profitable for hackers.

According to research published by anti-phishing security vendor Cofense, modern phishing campaigns often involve targeted and tailored emails with complex narratives relevant to the victim. Once the victim clicks on a link or attachment, the attacker can collect information about their user-agent data – a string of text data that Web browsers and applications send when loading a webpage. This data allows hackers to fingerprint victims and gather sensitive information such as email addresses, browser details, device specifics, language, location, and more.

The collected data is then used to deliver the most effective payload for each environment. For example, Cofense has observed phishing landing pages that delivered FleetDeck malware for macOS or Tiflux RAT for Windows, depending on the detected operating system. This multiplatform approach has become increasingly common, with many campaigns using “technically legitimate remote access tools” repurposed to act as remote access trojans – harder to detect by automated defenses.

Moreover, threat actors are leveraging platforms like Telegram to exfiltrate and save the collected information more frequently. Phishing landing pages now mimic download screens of popular services such as Google, Docusign, Microsoft Teams, Adobe, and Zoom, based on telemetry picked up from the victim’s browser.

The reason behind this shift towards platform-aware techniques is simple: better economics for attackers. By identifying a victim’s device and delivering the most effective payload, threat actors can reach more targets, increase compromise rates, and extract more valuable information from each interaction. This approach allows them to monetize clicks and credentials even when victims are on unsupported platforms.

The use of large language models, phishing kits, and emerging tactics like ClickFix has also contributed to the sophistication of modern phishing campaigns. As a result, hackers can now generate high-quality phishing emails in multiple languages, conduct complex attacks with ease, and adapt their strategies to evade detection.

So, what does this mean for us? It’s essential to stay vigilant against these increasingly sophisticated threats. By being aware of the latest tactics and adapting our security measures accordingly, we can reduce the likelihood of falling victim to a successful phishing attack. This includes staying informed about platform-aware techniques, implementing robust user-agent blocking mechanisms like Cloudflare, and educating ourselves on the signs of phishing attempts. Remember, it’s always better to be proactive than reactive when it comes to cybersecurity.


Source: Dark Reading — 2026-07-01