ReliaQuest has investigated a phishing campaign that exploited private messages in social media to deliver weaponized files via DLL sideloading, as well as a legitimate, open-source Python pen-testing script. The company says the aim was more than likely to deploy a remote access trojan (RAT).
This approach enables bad actors to bypass detection and scale their operations with little effort while maintaining persistent control over compromised systems. Once inside, malefactors can escalate privileges, move laterally across networks, and steal data.
In the report, ReliaQuest threat intelligence analyst Emily Jia discussed an unusual tactic at the heart of this campaign: the execution of an open-source Python penetration-testing script that the company has not seen in similar attacks.
What makes this particularly worrying is its strategic use of social media’s credibility, as well as the weaponization of legitimate open-source tools, a combination that lowers the technical barrier for bad actors and increases their chance of success.
The Anatomy of the Attack
According to ReliaQuest, attackers abused LinkedIn’s professional context to establish trust and familiarity, increasing their chances of success by targeting high-value people in corporate environments. However, this tactic, could be applied to any social media platform that accesses business devices.
The attack starts with a phishing message sent via LinkedIn, that contains a link to download a malicious WinRAR self-extracting archive (SFX).
Once executed, the archive extracts:
- A legitimate open-source PDF reader application.
- A malicious DLL file, disguised to share the same name as a benign file used by the PDF reader.
- A portable executable (PE) of Python interpreter.
- A RAR file (likely acting as a decoy, a common tactic in DLL sideloading to make the folder appear genuine).
The file names are carefully tailored to align with the receiver’s role or industry, such as “Upcoming_Products.pdf” or “Project_Execution_Plan.exe,” which builds credibility and makes the target more likely to interact with the file.
Execution via DLL Sideloading
Once the target launches the extracted PDF reader, the malicious DLL exploits DLL sideloading, a method in which adversaries place their malicious DLL in the same directory as a legitimate application to muddle detection.
The PDF reader prioritizes loading DLL files from its local directory before checking the system directory, allowing the threat actor’s DLL to execute under the PDF reader’s trusted process. This approach evades endpoint detection, and hides malintent by using legitimate processes.
Exploiting trusted applications blurs the line between legitimate and spurious activity and increases the chance of prolonged compromise.
Persistence and C2
After execution, the malicious DLL drops the Python interpreter onto the system, and then creates a persistent registry Run key with embedded Python code, making sure the interpreter runs automatically on every login.
The Python interpreter executes an open-source shellcode runner script, encoded in Base64. This script is decoded in-memory using Python’s exec() function, allowing attackers to avoid creating disk-based artifacts, bypassing traditional antivirus tools, and allocate memory, inject the final payload, and execute it.
The noted command-control (C2) activity during ReliaQuest’s analysis revealed frequent attempts to contact a C2 server, which is common with RATs, indicating their likely deployment.
Analysts said this would give bad actors persistent access to the compromised system, and they’d be able to exfiltrate data, escalate privileges, and move laterally within the network.
These tactics would allow attackers to quietly prepare for further malicious actions, which could lead to severe consequences, like intellectual property theft, data breaches, operational disruption, and reputational damage.
Lowering the Barrier to Cybercrime
ReliaQuest says the campaign is an example of how cybercrooks can carry out effective campaigns with few resources by exploiting legitimate tools. “In this campaign, attackers used WinRAR and Python, but similar tactics could extend to other widely used tools, such as PowerShell. These tools are integral to daily operations, making it impractical for organizations to block them entirely.”
The company says this shines a light on the ongoing challenge of distinguishing between legitimate activity and malicious behavior, leaving businesses vulnerable to similar attacks.
Also, as businesses depend on social media platforms for business and marketing, these channels fuel new attack surfaces.
“The broader lesson is that organizations must adopt holistic strategies that address both technical vulnerabilities and human factors,” ReliaQuest said.
Steps to Take
ReliaQuest says limited visibility into private social media messages makes defense-in-depth essential to prevent RAT delivery via phishing. Businesses should implement social media–specific security awareness training, and treat downloads from these platforms with the same caution as email, and reinforce clear reporting and verification processes.
Controls on corporate devices should limit or monitor file downloads and execution from social platforms, particularly when files are moved into execution-prone locations.
Finally, restrict Python usage to sanctioned users only, using application controls and endpoint monitoring to detect or block unauthorized interpreters and suspicious Python activity.
A Cat-and-Mouse Game
Sean Malone, Chief Information Security Officer at BeyondTrust, says the sideloading technique is not new. “It avoids having malicious binaries on the disk, since the Python interpreter binary will correctly be classified as benign. That said, it’s not quite as subtle as techniques that are fully living-off-the-land, since it does require an additional binary that is likely to not be present by default on most user systems.”
He said the use of social media to spread malware is a constant cat-and-mouse game. There’s a lot of untapped potential for an adversary there. Each of the social media platforms are understandably motivated to curtail such behavior, however, it’s a challenging problem to solve.”
Cultivating Trust With High-Value Targets
The innovation here is not in the technical execution, but in the social engineering vector employed to deliver the payload, adds Jason Soroko, Senior Fellow at Sectigo.
“Instead of relying on generic email phishing, these attackers cultivate trust with high-value targets through direct messaging on LinkedIn. This personalized approach exploits the professional context of the platform to lower the victim’s guard before persuading them to download the weaponized file. The campaign succeeds by combining a standard technical bypass with a highly targeted manipulation of professional relationships.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.