ReliaQuest Threat Research has identified a new phishing campaign on LinkedIn that tricks professionals into downloading malicious files. Using DLL side-loading, attackers hide viruses inside legitimate PDF readers and Python scripts to bypass security.
Cybersecurity researchers at ReliaQuest have discovered a shift in how hackers are breaking into corporate networks. In a report authored by researcher Emily Jia, it was revealed that attackers are now bypassing email filters and heading straight for LinkedIn private messages to trick high-value employees.
Building Trust to Deploy Trojans
According to the investigation from the ReliaQuest Threat Research unit, this attack doesn’t start with a computer virus, but with a conversation. The hackers spend time talking to people in high-level roles to build a sense of trust. Once the target feels comfortable, the attacker “deceives them into downloading a malicious WinRAR self-extracting archive, which is basically a digital folder that automatically opens itself, researchers explained in the blog post.
As we know it, most people wouldn’t suspect a file sent through a professional site like LinkedIn. To make the scam even more believable, the hackers use names like “Project_Execution_Plan.exe” or “Upcoming_Products.pdf” to make it look like a routine work document.
However, this isn’t just one file but a bundle that includes four different files, including a real, working PDF reader, a hidden DLL (Dynamic Link Library) file, a portable version of Python, and a decoy RAR file to make everything look legitimate.
Researchers found that he attackers use a method called DLL side-loading, which is a trick where a legitimate program is forced to load a malicious file hidden in the same folder.
In this case, the PDF reader runs the hacker’s code, which then launches a Python interpreter. Because Python is a legitimate tool used by developers, it often slips past security software. Researchers noted that the campaign uses a “legitimate, open-source Python pen-testing script” to install a Remote Access Trojan (RAT), giving the hacker a secret way to steal data or watch the user’s screen.
A Pattern of Side-Loading Attacks
This LinkedIn campaign is part of a broader trend of hackers manipulating real software. Just last week, Hackread.com reported on two similar threats. The first was PDFSIDER backdoor discovered by Resecurity after a Fortune 100 company was targeted using a modified version of PDF24, a popular office app. Almost around the same timeframe, researchers at Acronis found hackers using news about US-Venezuela tensions to target government groups to deploy LOTUSLITE malware, hidden inside a music player.
The Human Element
These attacks are successful because they don’t require fancy or complex code and rely on human curiosity and the use of open-source tools that companies can’t easily block. Social media platforms currently lack the heavy security filters that protect our email inboxes, leaving a blind spot for most businesses.
To stay safe, experts suggest that one must always be cautious. Never download files from someone you’ve only met online, even if their LinkedIn profile looks professional.
“The innovation here is not in the technical execution, but in the social engineering vector employed to deliver the payload. Instead of relying on generic email phishing, these attackers cultivate trust with high-value targets through direct messaging on LinkedIn,” said Jason Soroko, Senior Fellow at Sectigo.
“This personalized approach exploits the professional context of the platform to lower the victim’s guard before persuading them to download the weaponized file. The campaign succeeds by combining a standard technical bypass with a highly targeted manipulation of professional relationships,” Soroko explained.