Cybersecurity researchers have uncovered a sophisticated phishing campaign that leverages LinkedIn private messages to deliver a Remote Access Trojan (RAT) via DLL sideloading. The attack targets high-value individuals in corporate environments, exploiting the trust and familiarity of professional networking platforms to bypass traditional security defenses.

According to ReliaQuest, attackers initiate contact by posing as recruiters or collaborators on LinkedIn and sending personalized messages that entice victims to download a WinRAR self-extracting archive (SFX). This archive contains a legitimate open-source Python penetration-testing script bundled with a malicious DLL. When executed, the DLL is sideloaded into a trusted application, allowing the RAT to run stealthily without triggering antivirus alerts.

The campaign is notable for its use of multi-stage payload delivery, combining social engineering with technical obfuscation. By embedding the malware within tools commonly used by security professionals, the attackers increase their chances of evading detection and gaining persistent access to enterprise systems.

Hoplon Infosec reports that the RAT deployed in these attacks enables full remote control of infected machines, including file exfiltration, keystroke logging, and lateral movement across networks. The use of LinkedIn as the initial delivery vector marks a shift in attacker tactics, targeting platforms that are widely used in business settings but often overlooked in security monitoring.

Security experts warn that this technique could easily be adapted to other social media platforms and collaboration tools. Organizations are urged to educate employees about the risks of unsolicited messages, enforce strict application whitelisting, and monitor for unusual DLL loading behavior.

As attackers continue to blend social engineering with advanced malware delivery methods, defending against these threats requires a combination of user awareness, endpoint visibility, and proactive threat hunting.