Cyber security researchers not covered A new phishing campaign exploits private social media messages to spread malicious payloads, possibly with the goal of deploying a remote access trojan (RAT).
ReliaQuest said in a report shared with The Hacker News that the activity delivers “weaponized files via dynamic link library (DLL) sideloading combined with legitimate open source Python penetration testing scripts.”
The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and tricking them into downloading a malicious WinRAR self-extracting archive (SFX). When the archive is launched, four different components are extracted.
- Genuine open source PDF reader application
- Malicious DLLs sideloaded by PDF readers
- Python interpreter portable executable (PE)
- RAR files that can act as decoys
The infection chain is activated when the PDF reader application is executed and the malicious DLL is sideloaded. use of Sideloading DLLs is an increasingly common technique employed by threat actors to leverage legitimate processes to evade detection and hide signs of malicious activity.
In the past week, at least three documented campaigns have utilized DLL sideloading to deliver malware families tracked as follows: lotus light and PDF cideralong with other things Commodity Trojans and Information Steals.
The campaign observed by ReliaQuest uses a sideload DLL to drop a Python interpreter onto the system and create a Windows registry Run key that allows the Python interpreter to run automatically on every login. The interpreter’s primary role is to execute Base64-encoded open source shellcode. This shellcode runs directly in memory, ensuring no forensic artifacts remain on disk.
The final payload attempts to communicate with an external server, giving the attacker persistent remote access to the compromised host and exfiltrating the desired data.
The misuse of legitimate open source tools and the use of phishing messages sent on social media platforms shows that phishing attacks are not limited to email, and that alternative delivery methods can exploit security gaps to increase the probability of success and penetrate corporate environments.
ReliaQuest told The Hacker News that the campaign appears to be broad-based and opportunistic, with activity spanning various sectors and geographies. “However, the overall scale of this activity is difficult to quantify as this activity is occurring via direct messages and social media platforms are typically not monitored as much as email,” it added.
“This approach allows attackers to evade detection and scale their operations with minimal effort while maintaining durable control over compromised systems,” the cybersecurity firm said. “Once compromised, they have the potential to escalate privileges, move across networks, and steal data.”
This is not the first time LinkedIn has been used for targeted attacks. In recent years, multiple North Korean threat actorIncluding those linked to crypto core and contagious interview The campaign identified victims by contacting them on LinkedIn under the pretext of job opportunities and convincing them to run malicious projects as part of a supposed evaluation or code review.
In March 2025, Cofence will also be familiar with LinkedIn-themed phishing campaign. Use decoys associated with LinkedIn InMail notifications to[続きを読む]or[返信]It tricks you into clicking a button and downloading remote desktop software developed by ConnectWise to take full control of the victim host.
“Social media platforms commonly used by businesses represent a gap in most organizations’ security posture,” ReliaQuest said. “Unlike email, where organizations tend to deploy security monitoring tools, private messages on social media lack visibility and security controls, making them an attractive delivery channel for phishing campaigns.”
“Organizations must recognize that social media is a critical attack surface for initial access and extend defenses beyond email-centric controls.”