LinkedIn Phishing Abuses DLL Sideloading for Persistent Access 

Threat actors are increasingly using LinkedIn messages — not just email — to trick employees into running malware. 

ReliaQuest researchers recently analyzed a campaign that shows how quickly social media phishing can escalate into full endpoint compromise.

The attack uses a weaponized download delivered through LinkedIn private messages, then blends malicious execution into legitimate software to quietly establish persistence.

This campaign “… allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems,” said the researchers.

How the LinkedIn Phishing Attack Works

Researchers found the campaign begins with a LinkedIn phishing message that directs targets to download a malicious WinRAR self-extracting archive (SFX). 

To increase the chance of execution, attackers make the file appear work-related by using role-specific names — such as product documentation, project plans, or PDF themed lures that feel routine in corporate workflows. 

Once opened, the archive drops several coordinated components onto the device. 

These include a legitimate PDF reader application, a malicious DLL disguised as a normal program dependency, a portable Python interpreter, and a decoy RAR file meant to make the folder contents look benign.

The campaign’s key execution trick is DLL sideloading, which exploits standard Windows behavior by placing the malicious DLL in the same directory as a trusted application. 

When the victim launches the legitimate PDF reader, the application loads required libraries locally first — allowing the attacker’s DLL to run inside a process that appears legitimate.

This works by hiding malicious code inside a trusted process, reducing detection and making investigations difficult.

After the DLL runs, ReliaQuest observed it establishing persistence by installing the portable Python interpreter and creating a registry Run key so Python automatically executes at each login. 

From there, Python launches a Base64-encoded open-source shellcode runner, which is decoded and executed directly in memory. 

The researchers also reported command-and-control (C2) behavior consistent with RAT-style activity, suggesting the final payload is designed to provide persistent access, support data theft, and enable lateral movement across the environment.

Mitigations for Social Media–Based Attacks

Defending against social media–driven phishing requires more than just inbox protections. 

Because these campaigns blend trusted platforms, legitimate tools, and stealthy execution techniques, organizations need layered controls that address both user behavior and endpoint visibility.

• Train employees to treat social media DMs like email and verify unexpected files, links, or job-related attachments before downloading or opening them.
• Restrict execution of downloads and self-extracting archives (including WinRAR SFX) with application control and policies that block running files from user-writable folders.
• Limit Python to approved users and monitor for portable interpreters, Base64-encoded script execution, and other unusual in-memory behaviors.
• Detect and investigate DLL sideloading by alerting on trusted apps loading unexpected DLLs from nonstandard or user-controlled directories.
• Strengthen endpoint security with hardening controls that reduce risky execution paths and add protections for internet-downloaded files.
• Improve reporting and response speed by making it easy to report suspicious social messages and routing alerts directly to the SOC for triage.
• Regularly test incident response plans with simulations to validate containment steps, escalation paths, and recovery time expectations.

Implementing these defenses makes social media-based attacks harder to execute successfully.

Social Media Phishing Is Growing

As social platforms become more embedded in day-to-day business workflows, attackers will keep exploiting the trust and access they provide. 

This risk grows when messaging channels bypass the visibility and controls organizations have built around email.

Campaigns like this show how easily a routine download can escalate into stealthy persistence, remote access, and broader compromise when attackers abuse trusted tools and legitimate applications. 

That shift is driving more organizations toward zero-trust solutions that assume no channel or user is inherently safe.