A new report from Cofense reveals that cybercriminals are blending phishing and malware, including Muck Stealer, Info Stealer, ConnectWise RAT, and SimpleHelp RAT in dual-threat attacks, making them harder to defend against.
According to cybersecurity researchers at Cofense, a cyber threat intelligence firm, threat actors have begun combining credential phishing and malware. This dual-threat approach makes it much harder for companies to defend themselves against a single attack.
An email, for instance, was once assumed to be either a credential phishing attempt or malicious software. Now, however, criminals are using a new strategy. By combining both methods, they can succeed even if a company has invested heavily in one area of protection over the other.
A Mix of Tactics
The report revealed that attackers are using several different methods to launch these combined attacks. In one campaign from December 2024, attackers first used a malicious downloader that installed Muck Stealer malware on a victim’s computer. The malware then launched a fake login page to collect additional information. According to the researchers, this HTML file also served as a “method of disguising Muck Stealer’s activities.”
In another campaign from January 2025, the approach was reversed. Victims were first directed to a credential phishing page where they were asked to enter their login details. As soon as they entered their information, a customised Information Stealer was downloaded and installed on their computer. Researchers noted that criminals were deliberately “doubling up and very specifically targeting the Microsoft Office credentials of victims.”
More Adaptable and Dangerous
In another notable campaign, threat actors were seen spoofing the American Social Security Agency. These benefits-themed emails contained an embedded link that, when clicked, first downloaded ConnectWise RAT and then led the victim to an extensive credential phishing page. This page then collected specific personal details that the malware couldn’t, including the victim’s Social Security Number, mother’s maiden name, and phone carrier PIN.
The report also detailed an interesting campaign from July 2025, where the malware payload was changed depending on the victim’s device. For example, a link from a Windows computer would lead to a fake Microsoft Store page that downloaded SimpleHelp RAT (a type of software that lets an attacker control the computer), while the same link on an Android phone would deliver a different kind of malware designed specifically for that system.
A common link in many of these campaigns is the delivery of ConnectWise RAT. The report, which was shared with Hackread.com, concludes that having multiple attack methods allows criminals to gather more information and bypass security designed to catch only one type of threat, marking a noteworthy shift in how cybercriminals are operating.
