Cybersecurity researchers have spotted a new phishing campaign that exploits private messages on social media platforms to distribute malicious payloads and ultimately a remote access trojan. According to a report from ReliaQuest, the attackers leverage weaponized files delivered through Dynamic Link Library (DLL) sideloading in combination with a legitimate open-source Python penetration testing script.
The campaign targets high-value individuals on LinkedIn, where threat actors initiate conversations to build trust before tricking victims into downloading a malicious WinRAR self-extracting archive. When executed, the archive installs a mix of legitimate and malicious components, including a genuine PDF reader application, a rogue DLL designed to be sideloaded by the reader, a Python interpreter, and a decoy file.
The infection chain is triggered when the PDF reader is launched, causing the malicious DLL to load alongside it. DLL sideloading allows malware to hide within legitimate processes and evade security detection. Over the past week alone, multiple campaigns have been observed using similar tactics to deliver malware families such as LOTUSLITE and PDFSIDER, as well as other trojans and information stealers.
In the observed campaign, the sideloaded DLL drops the Python interpreter onto the system and establishes persistence by creating a Windows Registry Run key, ensuring execution at every login. The interpreter then runs a Base64-encoded shellcode entirely in memory, minimizing forensic traces. The final stage attempts to connect to an external command-and-control (C&C) server, allowing attackers to maintain remote access and steal sensitive data from infected systems.