LinkedIn Lures and DLL Sideloading: How Hackers Are Turning Social Media Into a RAT Delivery Channel

Cybersecurity researchers are warning of a new phishing campaign that exploits LinkedIn messages to distribute remote access Trojans using a stealthy DLL sideloading technique. The operation reflects a broader shift in attacker behavior, where professional social networks are increasingly abused as trusted delivery channels rather than traditional email.

The campaign blends social engineering, legitimate open source tooling, and trusted binaries to quietly establish long term access on victim systems. Researchers say the approach significantly reduces detection rates, especially in corporate environments where LinkedIn is widely used and rarely restricted.

How the LinkedIn Phishing Campaign Works

The attack begins with direct messages sent from compromised or convincingly spoofed LinkedIn accounts. These messages often impersonate recruiters, business partners, or technology vendors and reference job opportunities, shared documents, or collaboration requests.

Victims are encouraged to download a file hosted on popular cloud services or code repositories. In several observed cases, the files were presented as interview materials, project briefs, or software updates, lending credibility to the lure.

DLL Sideloading as the Core Infection Technique

Once downloaded, the victim executes what appears to be a legitimate application. Behind the scenes, the executable loads a malicious DLL placed in the same directory, a technique known as DLL sideloading.

The executable itself is often a signed or widely trusted binary, sometimes sourced directly from legitimate open source projects. Because the binary behaves as expected, security tools may not immediately flag the activity, allowing the malicious DLL to run with minimal scrutiny.

Use of Legitimate Open Source Tools

Researchers observed attackers abusing well known open source tools to blend malicious activity into normal system behavior. These tools are sometimes lightly modified, or simply paired with a malicious DLL, making them difficult to distinguish from legitimate software.

This tactic reduces the need for custom malware and lowers development costs for threat actors. It also complicates attribution, as the tools themselves are commonly used by developers and administrators.

RAT Capabilities and Persistent Access

After successful execution, the malicious DLL deploys a remote access Trojan that connects back to attacker controlled infrastructure. In observed infections, the RATs supported keystroke logging, file exfiltration, screenshot capture, and command execution.

Persistence is typically achieved through registry modifications, scheduled tasks, or by masquerading as part of the legitimate application’s update mechanism. Some infections remained active for weeks without triggering alerts, according to telemetry shared by researchers.

Why Social Media Is an Attractive Attack Surface

LinkedIn and similar platforms offer attackers direct access to corporate employees, often complete with job titles, responsibilities, and professional interests. This information enables highly targeted and personalized phishing messages.

Unlike email, social media messages are less likely to be scanned by enterprise security gateways. Many organizations also lack visibility into file transfers and links shared through these platforms, creating blind spots attackers are eager to exploit.

Scale and Impact of the Campaign

While exact victim numbers have not been disclosed, researchers estimate that thousands of users across technology, finance, and professional services sectors may have been exposed. Regions most affected include North America, Europe, and parts of Asia where LinkedIn adoption is high.

In several incidents, compromised systems belonged to employees with access to internal networks, raising concerns about follow on attacks such as lateral movement and data theft.

Defensive Measures and Lessons Learned

Security teams are being urged to treat social media as a first class attack vector. This includes educating employees about suspicious messages, restricting execution of unsigned DLLs, and monitoring for abnormal DLL load behavior.

Endpoint detection rules that flag trusted binaries loading unexpected libraries can help catch sideloading attempts. Researchers also stress the importance of verifying the source of files shared through professional networking platforms, even when they appear to come from familiar contacts.

The campaign serves as a reminder that trust is now a weapon. As attackers continue to weaponize everyday platforms like LinkedIn, organizations must adapt their defenses to match how people actually communicate and work.