Cybersecurity researchers have uncovered a phishing campaign that uses private messages on social media platforms, particularly LinkedIn, to distribute malicious files likely intended to deploy a remote access trojan (RAT).
According to ReliaQuest, the attack targets high-value individuals by initiating direct messages on LinkedIn, building trust, and then persuading victims to download a malicious WinRAR self-extracting archive (SFX). The archive abuses DLL side-loading, a technique that allows malware to run under the guise of legitimate software.
When executed, the archive drops several components, including a legitimate open-source PDF reader, a malicious DLL that is side-loaded by the reader, a portable Python interpreter, and a decoy file. Launching the PDF reader triggers the side-loading process, allowing the malicious DLL to execute without raising immediate suspicion.
The sideloaded DLL installs the Python interpreter and creates a Windows Registry Run key to ensure persistence. The interpreter then executes Base64-encoded shellcode directly in memory, reducing forensic traces on disk. The final stage attempts to connect to an external server, giving attackers persistent remote access and enabling data exfiltration.
ReliaQuest notes that DLL side-loading has become increasingly common, with multiple recent campaigns delivering malware families such as LOTUSLITE and PDFSIDER, as well as other commodity trojans and information stealers.
The campaign appears to be broad and opportunistic, affecting multiple sectors and regions. However, because the activity occurs in private social media messages—an area typically less monitored than email—the full scale is difficult to assess.
Researchers warn that the use of trusted social platforms and legitimate open-source tools highlights a growing security blind spot. Unlike email, social media messaging often lacks enterprise-grade monitoring, making it an attractive channel for initial access.
LinkedIn has previously been abused in similar operations, including campaigns linked to North Korean threat actors posing as recruiters or interviewers to lure victims into executing malicious files.
ReliaQuest advises organizations to treat social media platforms as a critical attack surface and extend security controls beyond traditional email-based defences.