Direct answer
Does phishing always use malware? No. Many campaigns use credential pages or payment/social engineering only, but malware and stealers often overlap with phishing infrastructure.
Credential exposure
Public code, paste, Common Crawl references and breach-adjacent metadata can reveal affected domains or secret types. Normal datasets should store redacted metadata, not raw secrets.
Malware overlap
Phishing campaigns may deliver attachments, fake installers, malicious QR codes, OAuth consent abuse or credential-stealing pages. Evidence must capture attachment metadata, headers, redirects, OCR and source provenance.
Operational handling
PhishNet links credential exposure metadata to brands, domains, campaigns and evidence while keeping raw sensitive values restricted.
How PhishNet uses this
Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.
Selected sources and research
These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.
Common questions
Does phishing always use malware?
No. Many campaigns use credential pages or payment/social engineering only, but malware and stealers often overlap with phishing infrastructure.
Should raw credentials be stored in normal datasets?
No. Normal datasets should store redacted metadata, fingerprints and evidence references only.