"The tactics, techniques and procedures deployed by Silver Spaniel actors indicate their sophistication level is low compared to that of nation state sponsored actors and advanced cybercriminals," the report said.
Silver Spaniel is the code name researchers have given to the attackers' activities and techniques.
Palo Alto is not the first to spot the evolution of 419 scams. In November 2013, Trend Micro spotted similar attackers using malware called Ice IX, a variant of the Zeus Trojan, to try to capture online banking credentials.
Palo Alto identified alleged Nigerian attacker Ojie Victor as an example of the transition from 419 scammer to malware operator.
Victor came to the attention of researchers through a post on his Facebook account. Victor had sought help May 6 in using the latest release of NetWire.
The cover photo on Victor's Facebook profile shows a hand holding a small stack of $100 bills. Victor uses the handle "lovenotwars" on Facebook and many other locations on the Web, including dating websites.
Scammers often set up fake dating profiles to trick people into thinking they have entered an online relationship. Once hooked, the crooks try to trick the victims into sending money.
"While we have not connected Ojie Victor to specific attacks on Palo Alto Networks customers, his activities represent the characteristics of the Silver Spaniel campaign: individuals who began their criminal careers operating 419 scams and are evolving their craft to use malware tools found on underground forums," the research report said.
Sign up for CIO Asia eNewsletters.