Cybersecurity researchers have identified a new phishing campaign that uses social media private messages to distribute malicious payloads, with the apparent goal of installing a remote access trojan (RAT) on victim systems.
According to a reliable source, the attackers send LinkedIn direct messages to high-value targets, build trust, and trick them into downloading a malicious WinRAR self-extracting archive. This archive delivers weaponized files through Dynamic Link Library (DLL) sideloading alongside a legitimate open-source Python penetration testing script.
Once executed, the archive extracts four components: a legitimate open-source PDF reader, a malicious DLL designed for sideloading, a portable Python interpreter executable, and a decoy RAR file. When the PDF reader runs, it unintentionally loads the rogue DLL, triggering the infection chain. DLL sideloading has become a favored technique among threat actors because it abuses trusted applications to hide malicious activity and evade detection.
In the campaign analyzed, the sideloaded DLL installs the Python interpreter and creates a Windows Registry Run key to ensure persistence. The interpreter then executes Base64-encoded shellcode directly in memory, minimizing forensic traces on disk. The final payload connects to an external command-and-control server, enabling persistent remote access and data exfiltration.
Researchers note that at least three recent campaigns have used DLL sideloading to spread malware families such as LOTUSLITE and PDFSIDER, along with information stealers and other trojans.
The operation highlights how attackers increasingly abuse legitimate open-source tools and social media messaging instead of traditional email phishing. Because direct messages on platforms like LinkedIn are typically less monitored, these attacks are harder to detect and measure.
ReliaQuest reports the campaign appears broad and opportunistic, affecting multiple industries and regions. Once attackers gain access, they can escalate privileges, move laterally through corporate networks, and steal sensitive data.
LinkedIn-based attacks are not new. In recent years, North Korean threat groups tied to campaigns such as CryptoCore and Contagious Interview have similarly targeted professionals with fake job opportunities that lure victims into executing malicious files.