Key Takeaways:
- A new phishing campaign is using social media private messages to spread malware and deploy remote access trojans (RATs).
- The campaign targets high-value individuals on LinkedIn, using messages to establish trust and deceive them into downloading malicious files.
- The attack uses DLL sideloading and legitimate open-source tools to evade detection and conceal malicious activity.
- The campaign has been observed in various sectors and regions, and its scope is difficult to quantify due to the use of social media platforms.
- Organizations must recognize social media as a critical attack surface and extend their defenses beyond email-centric controls.
Introduction to the Phishing Campaign
The cybersecurity landscape is constantly evolving, with new threats and attack vectors emerging every day. Recently, cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads. The campaign, which was discovered by ReliaQuest, uses a combination of social engineering and malicious files to deploy a remote access trojan (RAT) on the victim’s system. The attackers use LinkedIn to approach high-value individuals, establish trust, and deceive them into downloading a malicious WinRAR self-extracting archive (SFX).
The Attack Vector
The attack involves sending messages to potential victims on LinkedIn, establishing trust, and convincing them to download a malicious file. Once the file is launched, it extracts four different components, including a legitimate open-source PDF reader application, a malicious DLL, a portable executable (PE) of the Python interpreter, and a RAR file that serves as a decoy. The infection chain is activated when the PDF reader application is run, causing the rogue DLL to be sideloaded. The use of DLL sideloading has become a common technique adopted by threat actors to evade detection and conceal signs of malicious activity.
The Infection Chain
The sideloaded DLL is used to drop the Python interpreter onto the system and create a Windows Registry Run key that ensures the Python interpreter is automatically executed upon every login. The interpreter’s primary responsibility is to execute a Base64-encoded open-source shellcode that is directly executed in memory to avoid leaving forensic artifacts on disk. The final payload attempts to communicate with an external server, granting the attackers persistent remote access to the compromised host and exfiltrating data of interest. This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems.
The Use of Legitimate Open-Source Tools
The abuse of legitimate open-source tools, coupled with the use of phishing messages sent on social media platforms, shows that phishing attacks are not confined to emails alone. Alternative delivery methods can exploit security gaps to increase the odds of success and break into corporate environments. The use of legitimate tools makes it difficult for security systems to detect the malicious activity, as the tools themselves are not malicious. This highlights the importance of monitoring social media platforms and extending security controls beyond email-centric controls.
Previous Attacks on LinkedIn
This is not the first time LinkedIn has been misused for targeted attacks. In recent years, multiple North Korean threat actors have singled out victims by contacting them on LinkedIn under the pretext of a job opportunity and convincing them to run a malicious project as part of a supposed assessment or code review. In March 2025, Cofense also detailed a LinkedIn-themed phishing campaign that employs lures related to LinkedIn InMail notifications to get recipients to click on a "Read More" or "Reply To" button and download the remote desktop software developed by ConnectWise for gaining complete control over victim hosts.
Conclusion and Recommendations
The campaign observed by ReliaQuest appears to be broad and opportunistic, with activity spanning various sectors and regions. The fact that the campaign plays out in direct messages, and social media platforms are typically less monitored than email, makes it difficult to quantify the full scale. Organizations must recognize social media as a critical attack surface for initial access and extend their defenses beyond email-centric controls. Social media platforms commonly used by businesses represent a gap in most organizations’ security posture, and attackers are taking advantage of this gap to launch phishing campaigns. By acknowledging the risks associated with social media and implementing proper security controls, organizations can reduce the likelihood of falling victim to these types of attacks.
