Cybersecurity researchers have identified a new phishing operation that weaponizes LinkedIn private messages to deliver malware, highlighting how social media platforms are increasingly being used as initial access vectors in cyberattacks.
According to findings shared by ReliaQuest, the campaign relies on direct messages sent to targeted individuals, where attackers gradually build trust before convincing victims to download a malicious WinRAR self-extracting archive. The ultimate objective appears to be the deployment of a remote access trojan (RAT) that enables persistent control over infected systems.
Weaponized Archive and Infection Chain
Once the victim opens the downloaded self-extracting archive, four distinct components are dropped onto the system:
- A legitimate open-source PDF reader application
- A malicious DLL that is sideloaded by the PDF reader
- A portable executable version of the Python interpreter
- A RAR file likely included as a decoy
The infection is triggered when the user launches the PDF reader. This causes the legitimate application to load the malicious DLL through DLL sideloading, a technique widely favored by threat actors because it hides malicious execution behind trusted processes.
DLL Sideloading as a Growing Threat
DLL sideloading continues to gain traction as an evasion method, allowing attackers to bypass traditional security controls while blending malicious activity into normal application behavior. In recent weeks alone, multiple malware campaigns have leveraged this technique to distribute threats such as LOTUSLITE, PDFSIDER, and various commodity trojans and information stealers.
In this specific campaign, the sideloaded DLL drops a Python interpreter and establishes persistence by creating a Windows Registry Run key. This ensures the interpreter executes automatically whenever the user logs into the system.
Fileless Execution and Persistent Access
The Python interpreter is then used to execute a Base64-encoded, open-source shellcode payload directly in memory. By avoiding the creation of files on disk, the attackers significantly reduce forensic visibility and detection opportunities.
The final stage attempts to establish communication with an external command-and-control server, granting attackers long-term remote access to the compromised machine and enabling the exfiltration of sensitive data.
Social Media as an Expanding Attack Surface
ReliaQuest noted that the campaign appears to be broad and opportunistic, affecting multiple sectors and geographic regions. However, measuring its true scale remains difficult due to the private nature of social media messaging platforms.
Unlike email systems, which are typically protected by security gateways and monitoring tools, private messages on platforms like LinkedIn often lack visibility and centralized security controls. This makes them an attractive channel for attackers seeking to bypass corporate defenses.
History of LinkedIn-Based Attacks
This is far from the first instance of LinkedIn being abused for targeted cyberattacks. Over the past several years, multiple North Korean-linked threat groups, including those associated with CryptoCore and the Contagious Interview campaign, have used fake job offers to trick victims into executing malicious code disguised as interview tasks or coding assessments.
More recently, in March 2025, Cofense documented a LinkedIn-themed phishing campaign that used fake InMail notifications to lure victims into downloading ConnectWise remote desktop software, giving attackers full control of infected systems.
Defensive Implications
Security researchers warn that organizations must reassess how they view social media platforms in their threat models. As attackers increasingly shift away from traditional email-based phishing, platforms used for professional networking represent a critical blind spot.
ReliaQuest emphasized that businesses should treat social media messaging as a legitimate attack surface and extend security awareness, monitoring, and response strategies beyond email-centric controls to prevent initial compromise and lateral movement.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
