Researchers studying cybersecurity have discovered a new and sophisticated phishing effort that spreads dangerous payloads via social media private messaging, especially LinkedIn private messages, to target high-value individuals, including IT administrators and corporate executives, most likely with the intention of deploying a remote access trojan (RAT). The exploit overrides conventional security measures by delivering Remote Access Trojans (RATs) via DLL sideloading.
The activity uses “weaponised files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script”, according to a report that ReliaQuest shared with The Hacker News.
The assault entails contacting valuable people via LinkedIn messaging, building rapport, and tricking them into downloading a malicious WinRAR self-extracting archive (SFX). The archive extracts four distinct components after it is launched. The four components are a legitimate open-source PDF reader application, a malicious DLL that’s sideloaded by the PDF reader, a portable executable (PE) of the Python interpreter and a RAR file that likely serves as a decoy.
When the PDF reader program is opened, the rogue DLL is sideloaded, starting the infection cycle. Threat actors are increasingly using DLL side-loading as a tactic to avoid detection and hide indications of malicious activity by exploiting legitimate processes.
DLL side-loading has been used in at least three known campaigns over the past week to distribute commodity trojans, information stealers, and malware families identified as LOTUSLITE and PDFSIDER.
The Python interpreter is dropped onto the system using the sideloaded DLL in the ReliaQuest-observed campaign, and a Windows Registry Run key is created to ensure that the Python interpreter is automatically launched at each login. In order to prevent forensic artefacts from being left on disc, the interpreter’s main duty is to run an open-source shellcode that is Base64 encoded and executed directly in memory.
In order to give the attackers continuous remote access to the compromised computer and exfiltrate relevant data, the final payload makes an effort to communicate with an external server.
The misuse of trustworthy open-source tools in conjunction with phishing messages sent on social media platforms demonstrates that phishing attacks are not limited to emails and that other delivery methods can take advantage of security flaws to boost the likelihood of success and gain access to corporate settings.
The Hacker News was informed by ReliaQuest that the effort seems to be widespread and opportunistic, with activity occurring across several industries and geographical areas. “That said, because this activity plays out in direct messages, and social media platforms are typically less monitored than email, it’s difficult to quantify the full scale,” it stated.
“This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems,” the cybersecurity firm stated. “Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data.”
LinkedIn has been abused for targeted assaults before. Many North Korean threat actors have targeted victims in recent years by contacting them on LinkedIn under the guise of a job opportunity and persuading them to carry out a malicious project as part of a purported assessment or code review. These actors include those connected to the CryptoCore and Contagious Interview campaigns.
Cofense also described in March 2025 a phishing campaign with a LinkedIn theme that uses lures associated with LinkedIn InMail notifications to persuade recipients to click on a “Read More” or “Reply To” button and download the remote desktop software created by ConnectWise in order to take total control of victim hosts.
“Social media platforms commonly used by businesses represent a gap in most organisations’ security posture,” ReliaQuest stated. “Unlike email, where organisations tend to have security monitoring tools, social media private messages lack visibility and security controls, making them an attractive delivery channel for phishing campaigns.
“Businesses need to broaden their defences beyond email-centric controls and see social media as a major attack surface for initial access.
As described, the abilities and the impact they create are:
Malware Families: Several RATs and stealers, such as AgentTesla, Remcos RAT, QuasarRAT, and XWorm, have been seen to be used by the campaign.
Stealth Tactics: Attackers can “live off the land” in the system and avoid signature-based detection by loading malicious code into a genuine program.
Post-Infection: Once the virus is active, it gives attackers the ability to stay persistent, elevate privileges, steal confidential information, and travel laterally throughout business networks.
In a related development, researchers last week also reported that scammers were flooding LinkedIn articles with fake “reply” comments designed to impersonate the platform and lure users to malicious external websites, further highlighting the growing abuse of social media for cybercrime.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
