A phishing campaign targeting carefully selected “high-value” corporate employees has been using LinkedIn direct messages to deliver weaponized downloads, highlighting how criminals are shifting away from email-based lures as inbox security improves.
The ReliaQuest Threat Research team revealed how attackers used social media direct messages to send targets a malicious download link.
The campaign used a technique that lets malware run under the cover of a legitimate program, combined with a “legitimate, open-source Python pen-testing script,” a combination ReliaQuest said it had not seen before.
According to the report, authored by cyber threat intelligence analyst Emily Jia, the attack begins with a LinkedIn phishing message directing the victim to download a WinRAR self-extracting archive (SFX).
A SFX automatically unpacks multiple files when opened, allowing attackers to deliver everything needed for compromise in a single download.
In this campaign, the SFX archive unpacked a legitimate PDF reader and a malicious Dynamic Link Library (DLL), a common type of Windows file that programs rely on to run key functions.
It also delivered a portable Python interpreter and a harmless decoy compressed file intended to make the download appear legitimate.
ReliaQuest said filenames were tailored to the recipient’s role or industry, using titles such as “Upcoming_Products.pdf” or “Project_Execution_Plan.exe,” to increase the chances the target would open them.
What is DLL sideloading?
Once the victim launches the PDF reader, the malicious file runs via DLL sideloading, a technique in which attackers place a rogue DLL alongside a legitimate application so it loads the attacker’s code.
The malicious DLL was disguised as a normal supporting component that the PDF reader expects to find when it starts up, helping “evade detection by endpoint security tools,” Jia writes.
After execution, the malware sets up a persistent registry “Run” key to automatically launch Python at login. It then runs a publicly available hacking tool “wrapped” in Base64 (which turns code into a long string of text) and executes it directly in the computer’s memory instead of saving an obviously malicious file to disk, making detection harder.
ReliaQuest observed repeated attempts to contact a command-and-control server, behaviour “commonly associated with RATs,” indicating a likely remote access trojan deployment for long-term access and data theft.
The security company stressed that what makes this campaign, which appears to be aimed at business executives and IT administrators, particularly concerning is its strategic use of social media’s credibility, combined with the weaponization of legitimate open-source tools.
“This combination not only lowers the technical barrier for attackers but also boosts their odds of success.
Access to business execs’ devices is “invaluable” to criminals
“This campaign serves as a reminder that phishing isn’t confined to email inboxes. Phishing attacks take place over alternative channels like social media, search engines, and messaging apps – platforms that many organizations still overlook in their security strategies.
“Social media platforms, especially those frequently accessed on corporate devices, provide attackers with direct access to high-value targets like executives and IT administrators, making them invaluable to cybercriminals.”
According to ReliaQuest, LinkedIn has been made aware of the campaign. To reduce risk, the security firm advises social media-specific security awareness training and caution around unexpected links or downloads sent via direct message.
LinkedIn’s response to Cybernews was as follows:
“Our teams and technology work behind the scenes to spot and stop most scams before they even reach our members and customers. If they do come across anything suspicious, we encourage them to report it and provide resources in our Help Center about identifying fraudulent messages and guidance on what to do if a malicious link is clicked.”
LinkedIn spokesperson
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked