Cybersecurity researchers have discovered a new phishing campaign that exploits private social media messages to propagate malicious payloads. This is likely intended to deploy a remote access trojan (RAT).
ReliaQuest said in a report shared with The Hacker News that the activity delivers “weaponized files via dynamic link library (DLL) sideloading combined with legitimate open source Python penetration testing scripts.”
The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and tricking them into downloading a malicious WinRAR self-extracting archive (SFX). When the archive is launched, four different components are extracted.
Legitimate open source PDF reader applications Malicious DLLs sideloaded by PDF readers RAR files that can act as Python interpreter portable executable (PE) decoys
The infection chain is activated when the PDF reader application is executed and the malicious DLL is sideloaded. The use of DLL sideloading is an increasingly common technique employed by threat actors to leverage legitimate processes to evade detection and hide signs of malicious activity.
Over the past week, at least three documented campaigns have utilized DLL sideloading to deliver malware families tracked as LOTUSLITE and PDFSIDER, along with other commodity Trojans and information thieves.
The campaign observed by ReliaQuest uses a sideload DLL to drop a Python interpreter onto the system and create a Windows registry Run key that allows the Python interpreter to run automatically on every login. The interpreter’s primary role is to execute Base64-encoded open source shellcode. This shellcode runs directly in memory, ensuring no forensic artifacts remain on disk.
The final payload attempts to communicate with an external server, giving the attacker persistent remote access to the compromised host and exfiltrating the desired data.
The misuse of legitimate open source tools and the use of phishing messages sent on social media platforms shows that phishing attacks are not limited to email, and that alternative delivery methods can exploit security gaps to increase the probability of success and penetrate corporate environments.
ReliaQuest told The Hacker News that the campaign appears to be broad-based and opportunistic, with activity spanning various sectors and geographies. “However, the overall scale of this activity is difficult to quantify as this activity is occurring via direct messages and social media platforms are typically not monitored as much as email,” it added.
“This approach allows attackers to evade detection and scale their operations with minimal effort while maintaining durable control over compromised systems,” the cybersecurity firm said. “Once compromised, they have the potential to escalate privileges, move across networks, and steal data.”
This isn’t the first time LinkedIn has been used for targeted attacks. In recent years, several North Korean threat actors, including those associated with the CryptoCore and Contagious Interview campaigns, have identified victims by contacting them on LinkedIn under the pretext of job opportunities and convincing them to run malicious projects as part of a supposed evaluation or code review.
In March 2025, Cofense also detailed a LinkedIn-themed phishing campaign that used decoys related to LinkedIn InMail notifications to trick recipients into clicking the “Read More” or “Reply to” buttons and downloading remote desktop software developed by ConnectWise to take full control of the victim host.
“Social media platforms commonly used by businesses represent a gap in most organizations’ security posture,” ReliaQuest said. “Unlike email, where organizations tend to deploy security monitoring tools, private messages on social media lack visibility and security controls, making them an attractive delivery channel for phishing campaigns.”
“Organizations must recognize that social media is a critical attack surface for initial access and extend defenses beyond email-centric controls.”
Source link
