Cybersecurity researchers have uncovered a phishing operation that abuses private messaging on social platforms to deliver malicious binaries, likely as a delivery mechanism for a remote access trojan (RAT).

According to ReliaQuest, the activity delivers “weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script,” forming a kill chain that blends in with legitimate tooling.

The tradecraft centers on engaging high-value targets via LinkedIn direct messages, building rapport, then convincing them to download a trojanized WinRAR self-extracting (SFX) archive. When executed, the SFX unpacks four components –

• A legitimate open-source PDF reader application
• A malicious DLL that’s sideloaded by the PDF reader
• A portable executable (PE) build of the Python interpreter
• A RAR file that likely functions as a decoy artifact

The execution chain is triggered when the PDF reader is started, which causes the malicious DLL to be sideloaded. Use of DLL side-loading continues to be a preferred technique for intrusion operators to blend with legitimate processes, reduce telemetry signaling, and evade conventional detection logic.

Within the last week alone, at least three documented campaigns have used DLL side-loading to deploy malware families tracked as LOTUSLITE and PDFSIDER, as well as other commodity trojans and information stealers.

In the ReliaQuest-observed activity, the sideloaded DLL is used to deploy the Python interpreter onto the endpoint and create a Windows Registry Run key to ensure the interpreter is invoked at each user logon. That interpreter is then used to run a Base64-encoded open-source shellcode payload directly in memory, intentionally minimizing disk artifacts and complicating post-incident forensic reconstruction.

The final stage attempts to reach out to attacker-controlled infrastructure, providing persistent remote access to the compromised system and enabling collection and exfiltration of targeted data.

From a SOC perspective, the use of legitimate open-source utilities in combination with phishing via social media messaging reinforces that phishing-based initial access is no longer email-only. These alternative channels can bypass traditional controls and monitoring, increasing compromise likelihood and providing a path into enterprise environments.

ReliaQuest noted that the campaign appears broadly targeted and opportunistic, spanning multiple industries and geographies. “That said, because this activity plays out in direct messages, and social media platforms are typically less monitored than email, it’s difficult to quantify the full scale,” it added.

“This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems,” the cybersecurity company said. “Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data.”

LinkedIn has been repeatedly abused as an initial access vector for tailored intrusions. In recent years, multiple North Korean threat actors, including operators associated with the CryptoCore and Contagious Interview campaigns, have targeted victims via LinkedIn by posing as recruiters, then pushing malicious projects as part of supposed technical assessments or code reviews.

In March 2025, Cofense also documented a LinkedIn-branded phishing campaign that used fake LinkedIn InMail notification lures to get users to click “Read More” or “Reply To,” ultimately leading to downloads of ConnectWise remote desktop software that granted full remote control of the victim machine.

“Social media platforms commonly used by businesses represent a gap in most organizations’ security posture,” ReliaQuest said. “Unlike email, where organizations tend to have security monitoring tools, social media private messages lack visibility and security controls, making them an attractive delivery channel for phishing campaigns.”

“Organizations must recognize social media as a critical attack surface for initial access and extend their defenses beyond email-centric controls.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.