Cybersecurity experts found a new phishing campaign, which spreads a malicious payload via private messages on a social media platform, possibly to distribute a remote access trojan (RAT).
The activity enables “weaponized files through Dynamic Link Library sideloading, in conjunction with a legitimate, open source Python based pen testing script,” according to a report released by the cybersecurity company ReliaQuest and provided to The Hacker News.
The method by which this exploitation takes place is by gaining the trust of influential individuals on LinkedIn, sending them a message, and tricking them into running a fraudulent WinRAR self-extracting archive (SFX). Once executed, it will download four different components:
🔹A legitimate open-source reader application for PDF files
🔹A malicious DLL that is sideloaded by the PDF reader
🔹A portable executable (PE) of a Python interpreter
A RAR file most likely used as a decoy The infection sequence activates when the PDF reader app starts, and as a result, it starts to execute the DLL sideloading. DLL sideloading, on one hand, has increasingly been adopted as one of the most common tactics that can variously be employed as malware to avoid detection and hide signs of malicious activity.
In the past week alone, it has been reported that at least three identified campaigns have used DLL side loading to distribute the LOTUSLITE and PDFSIDER malware, as well as other trojans and data thieves.
In the campaign carried out by ReliaQuest, this sideloaded DLL has been used to drop the Python interpreter on the system, with a Windows Registry Run key to guarantee that the Python interpreter gets executed with each and every login on the system. The main function of this Python interpreter is to execute the open source shellcode, which has been Base64 encoded, with a direct execution done in memory so as to avoid leaving any forensic artifacts on the system itself.
The last payload tries to connect to an external server, thereby providing the attackers permanent remote access to the infected computer while also transmitting any data of interest to them.
The fact that the legitimate use of open source tools was abused for malicious activities, together with some tactics used for sending out phishing messages via different social media platforms for sending out communications, highlights that attacks are not limited to emails but can come in different forms that can actually breach different security gaps to ensure success.
ReliaQuest told The Tappy News Alert the campaign seems to be wide ranging and opportunistic, with activity spanning many industries and geographies. "That said, because this activity plays out in direct messages, and social media platforms are typically less monitored than email, it's difficult to quantify the full scale," it added.
"This approach enables the attackers to bypass detection and scale their operations with least effort, have persistent control over the compromised systems," said the cybersecurity company. "Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data."
It is not the first time LinkedIn has been misused for targeted attacks. In recent years alone, various North Korean threat actors have singled out targets in multiple campaigns targeting them via LinkedIn on the pretext of a job opportunity and convincing them to run a malicious project as part of a supposed assessment or code review.
Cofense also described in March 2025 a linkedin themed phishing attack in which attackers use baits linked to notifications of messages in linkedin inmail to trick the user into clicking a "Read More" or "Reply To" button, enabling the hacker to obtain control of the computer by utilizing remote computer software developed by connectwise.
"Social media sites that are commonly used by businesses are actually an unsolved security problem for most businesses." The company said, "Unlike with email, most business security teams have some kind of monitoring solution for this communication vector. Social media 'private messages' are another unsolved security problem. Phishing attacks via this route have been very effective."
“Organizations should recognize social media as a key attack surface for initial access. They should expand their defenses beyond email.”
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
