Researchers have uncovered a dangerous new phishing campaign in which hackers are abusing LinkedIn private messages to spread malware. Instead of using traditional phishing emails, threat actors are directly contacting users on LinkedIn, building trust, and tricking them into downloading malicious files. The ultimate goal of this campaign is to deploy a Remote Access Trojan (RAT) that gives attackers long-term control over infected systems.
According to a report from ReliaQuest, the attackers are using a clever technique called DLL sideloading, combined with legitimate open-source tools, to bypass security controls and remain hidden inside corporate environments.
The attack begins with a seemingly harmless LinkedIn message. Cybercriminals target high-value professionals, such as employees in IT, finance, engineering, and management roles. These messages often appear professional and may reference job opportunities, collaborations, or shared interests to gain the victim’s trust.
Once trust is established, the attacker convinces the target to download a WinRAR self-extracting archive (SFX). This file looks legitimate but contains several malicious components designed to work together.
When extracted, the archive drops four main files onto the victim’s system:
-
A legitimate open-source PDF reader application
-
A malicious DLL file that will be sideloaded
-
A portable Python interpreter executable
-
A RAR file acting as a decoy
At first glance, everything appears normal. However, the real attack starts when the victim launches the PDF reader.
When the PDF reader is executed, it unknowingly loads the malicious DLL instead of a legitimate one. This technique, known as DLL sideloading, takes advantage of how Windows applications search for required libraries.
Because the application itself is trusted, security tools are less likely to raise alerts. This makes DLL sideloading an increasingly popular method among threat actors looking to evade antivirus and endpoint detection systems.
In recent weeks alone, researchers have observed multiple malware campaigns using DLL sideloading to deliver threats such as LOTUSLITE, PDFSIDER, information stealers, and other commodity trojans.
Once the malicious DLL is loaded, it performs several actions to establish persistence and execute the final payload:
-
Drops a Python interpreter onto the infected system
-
Creates a Windows Registry Run key, ensuring the malware runs automatically every time the user logs in
-
Uses Python to execute Base64-encoded shellcode directly in memory
By running the malicious code in memory instead of writing it to disk, the attackers significantly reduce the chance of forensic detection. This “fileless” approach makes incident response more difficult and allows the malware to operate quietly in the background.
The final stage of the attack involves connecting to an external command-and-control (C2) server. Once connected, attackers gain persistent remote access to the compromised system.
With RAT capabilities, threat actors can:
-
Monitor user activity
-
Steal sensitive corporate and personal data
-
Escalate privileges
-
Move laterally across the network
-
Deploy additional malware
This level of access can lead to data breaches, intellectual property theft, ransomware deployment, and long-term espionage.
This campaign highlights a growing trend: phishing attacks are no longer limited to email. Social media platforms like LinkedIn are becoming prime targets because they are widely trusted and poorly monitored by corporate security teams.
ReliaQuest noted that because these attacks occur in private direct messages, it is difficult to measure their full scale. Unlike email systems, most organizations lack security tools that monitor LinkedIn or other social media platforms.
The attackers benefit from:
-
Lower visibility and monitoring
-
Higher trust among users
-
Minimal effort to scale operations
-
Greater success in bypassing security defenses
This is not the first time LinkedIn has been abused by threat actors. Over the past several years, multiple North Korean hacking groups have used the platform to target professionals.
Campaigns such as CryptoCore and Contagious Interview involved attackers posing as recruiters. Victims were asked to download and run malicious code as part of fake job interviews, assessments, or code reviews.
More recently, in March 2025, Cofense reported another LinkedIn-themed phishing campaign. In that attack, victims received fake LinkedIn InMail notifications encouraging them to click “Read More” or “Reply To.” These links led to the download of ConnectWise remote desktop software, giving attackers full control over infected systems.
Security experts warn that organizations must treat social media platforms as a critical attack surface. While email security has matured significantly, social media messaging remains a blind spot.
ReliaQuest emphasized that companies should:
Train employees to recognize social media phishing attempts
Establish clear policies for handling unsolicited LinkedIn messages
Use endpoint detection tools capable of identifying DLL sideloading behavior
Monitor registry changes and suspicious Python execution
Extend security awareness beyond email-centric threats
The misuse of LinkedIn for malware delivery shows how cybercriminals continue to adapt their tactics. By combining social engineering, DLL sideloading, and legitimate open-source tools, attackers can quietly infiltrate organizations and maintain long-term access.
As phishing evolves beyond email, businesses and individuals alike must stay alert. Recognizing that LinkedIn and other social media platforms can be weaponized is the first step toward reducing risk and protecting sensitive systems from compromise.
Interesting Article : CVE-2026-23550, WordPress Plugin Under Active Exploitation
Pingback: CVE-2026-20045 Under Active Attack: Cisco Unified CM Zero-Day