LinkedIn Used to Deliver Remote Access Trojan to Corporations

A sophisticated phishing campaign is currently leveraging LinkedIn, the trusted professional social media platform, to deliver a dangerous remote access trojan to corporate employees.

Attackers are leveraging the professional credibility of LinkedIn to craft convincing messages that appear legitimate, making employees more likely to download and execute malicious files.

This attack vector represents a significant threat to businesses worldwide, as social media platforms remain largely outside traditional email security defenses.

The campaign operates through a carefully orchestrated sequence. Attackers send phishing messages via LinkedIn containing links to download weaponized WinRAR self-extracting archives.

The file names are tailored to match the recipient’s role or industry, such as “UpcomingProducts.pdf” or “ProjectExecutionPlan.exe,” creating a compelling reason for the target to interact with the downloaded content.

Once executed, the archive extracts legitimate and malicious components that work together to compromise the system.

This approach allows cybercriminals to bypass many security detection tools while maintaining low operational costs.

ReliaQuest analysts identified and investigated this phishing campaign, discovering that it uses a sophisticated multi-stage infection mechanism combining DLL sideloading with an open-source Python script.

Their research revealed that the attack chain executes rapidly, often completing its malicious objectives within hours.

The threat actors demonstrated a deep understanding of how legitimate software operates, enabling them to hide their malicious code in plain sight.

DLL Sideloading and Persistent Compromise

The infection mechanism employed in this campaign showcases how attackers abuse trusted applications to achieve long-term system control.

When victims extract and launch the malicious archive, they unknowingly trigger a legitimate PDF reader application. However, the attackers have placed a weaponized Dynamic Link Library file in the same directory, exploiting a technique known as DLL sideloading.

The PDF reader application automatically prioritizes loading DLL files from its local directory before checking the system directories, causing the malicious DLL to execute instead of the legitimate one.

This execution occurs under the trusted process of the PDF reader, effectively hiding the malicious activity from security monitoring tools.

After gaining initial execution, the malicious DLL performs critical actions that establish persistence.

The compromised system receives a Python interpreter and an embedded shellcode runner script encoded in Base64.

The Python interpreter executes this script entirely in memory using Python’s exec function, leaving no disk-based artifacts that traditional antivirus tools might detect.

The attackers then create a persistent registry Run key containing embedded Python code, ensuring that the malicious code executes automatically every time the user logs into their system.

This persistence mechanism transforms a single compromised employee into a long-term security liability, granting attackers ongoing access for privilege escalation, lateral network movement, and sensitive data theft.

The convergence of social engineering, legitimate-looking files, and sophisticated technical exploitation makes this threat particularly challenging for organizations to defend against.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.