Cybersecurity researchers have uncovered a sophisticated phishing campaign leveraging LinkedIn private messages to deliver remote access trojan (RAT) malware through a technique known as DLL sideloading. The campaign targets high-value individuals, exploiting trust to trick victims into downloading malicious files.
According to a report from ReliaQuest, attackers send messages that entice recipients to open a WinRAR self-extracting archive (SFX). Once executed, the archive extracts four key components:
- A legitimate open-source PDF reader
- A malicious DLL sideloaded by the PDF reader
- A portable Python interpreter executable
- A RAR file serving as a decoy
The infection chain activates when the PDF reader launches, triggering the rogue DLL. DLL sideloading allows malware to piggyback on legitimate applications, making detection difficult while bypassing conventional security measures.
How the Attack Works
The sideloaded DLL drops the Python interpreter onto the victim’s system and establishes a Windows Registry Run key, ensuring the interpreter executes automatically at each login. The Python interpreter then runs a Base64-encoded shellcode directly in memory, avoiding disk-based forensic detection. The final payload connects to a remote server, giving attackers persistent control and enabling data exfiltration.
ReliaQuest noted that this approach highlights a growing trend: social media platforms as attack vectors. Unlike email, which is typically monitored by security tools, private messaging on platforms like LinkedIn often lacks visibility, making it an attractive vector for phishing campaigns.
Historical Context
LinkedIn-based attacks are not unprecedented. Threat actors, including North Korean groups like CryptoCore, have previously impersonated recruiters or colleagues, convincing victims to execute malicious files under the guise of a job assessment or code review. In March 2025, Cofense reported a campaign exploiting LinkedIn InMail notifications to distribute remote desktop software for full system control.
Implications for Organizations
The campaign observed by ReliaQuest is opportunistic and spans multiple sectors and regions. Attackers can escalate privileges, move laterally across networks, and exfiltrate sensitive data once inside.
ReliaQuest emphasized that organizations must treat social media as a critical attack surface, extending cybersecurity defenses beyond email-based controls. Social engineering attacks through private messages can bypass traditional monitoring and give threat actors a foothold in corporate environments.
“Social media platforms commonly used by businesses represent a gap in most organizations’ security posture,” the report noted. “Extending monitoring and protection to these channels is essential to prevent initial access and lateral movement by threat actors.”
