ReliaQuest Threat Research recently published a threat spotlight describing a phishing campaign that starts in social media private messages (LinkedIn) and ends with DLL side-loading + a legitimate open-source Python pen-testing script that likely enables remote access trojan (RAT) deployment.

For CISOs and IT specialists, the message is clear: phishing is no longer “an email problem.” Social platforms have become high-trust channels with low enterprise visibility, and attackers are exploiting that blind spot to gain footholds on corporate endpoints—often with tools that look “normal” to security controls.

Executive Summary (What’s new and why it matters)

This campaign combines three tactics that individually are already well-known—but together create a highly scalable, stealthy intrusion chain:

1. Social-media spearphishing via private messages (bypasses email gateways and most security controls)
2. DLL side-loading using a legitimate PDF reader process (malicious code runs under a trusted parent)
3. Portable Python interpreter + open-source shellcode runner executed in memory (reduced disk artifacts, harder static detection)

Once attackers establish persistence and command-and-control (C2), the likely goal is to deploy a RAT-enabling privilege escalation, lateral movement, and data exfiltration.

The Attack Chain: Step-by-Step Anatomy (LinkedIn → RAT)

1) Initial access: LinkedIn private message + weaponized download

The entry point is a phishing message delivered through LinkedIn private messaging, containing a link to a WinRAR self-extracting archive (SFX). This is intentional: an SFX archive feels familiar, is commonly used for packaging files, and can be framed as a “document bundle,” “plan,” or “proposal.”

Once executed, the archive drops several components:

• A legitimate open-source PDF reader
• A malicious DLL crafted to match the name of a legitimate dependency
• A portable Python interpreter (PE)
• A RAR decoy file to make the directory look “normal”

Crucially, filenames are tailored to the target’s role (e.g., “Upcoming_Products.pdf”, “Project_Execution_Plan.exe”), increasing click-through in executive and IT populations.

2) Execution: DLL side-loading inside a trusted process

When the victim launches the PDF reader, it loads DLLs from its local folder first (common behavior in Windows apps). Attackers abuse this by placing the malicious DLL next to the legitimate executable, causing it to load and execute under the trusted PDF reader process context.

Why this is effective:

• The execution chain looks “legitimate” to endpoint tools (trusted parent process)
• The malicious DLL is blended into a folder that appears business-relevant
• Early-stage detections may miss it because there is no “obvious malware” binary launched directly

3) Persistence: registry Run key + Python auto-start

After the DLL executes, ReliaQuest observed two key actions:

• The DLL drops the Python interpreter
• It creates persistence via a Registry Run key that contains embedded Python code and runs at every login

This is a practical tradecraft choice: portable Python is easy to ship, widely available, and can execute complex logic without custom malware development.

4) Payload staging: Base64 open-source Python shellcode runner (in-memory)

The Python interpreter then runs an open-source shellcode runner script (originally built for pen-testing). The script is Base64-encoded and decoded in memory, often executed via Python’s exec() method.

That matters because it:

• Minimizes disk artifacts (reducing AV hits)
• Makes analysis slower for defenders (“where is the payload file?”)
• Allows quick swapping of final-stage payloads without rewriting the delivery chain

ReliaQuest also observed frequent C2 connection attempts, a behavior aligned with RAT-type implants.

Why Social Media Works So Well for Attackers (and why companies underestimate it)

Social media is not just another channel-it’s a credibility amplifier:

• Trust by design: Professional platforms make unsolicited contact feel normal (“networking”)
• Email security bypass: DMs are outside SEG controls, URL rewriting, mailbox intelligence, etc.
• Precision targeting: Job titles and org context help threat actors pick privileged roles and craft convincing lures

ReliaQuest highlights that LinkedIn alone contains a massive pool of high-value targets (decision-makers and executives), making it an attractive reconnaissance and delivery platform.

MITRE ATT&CK Mapping (Defender/SOC Friendly)

This chain aligns with common ATT&CK techniques, including:

• Initial Access: Phishing via alternative channels
• Execution / Defense Evasion: DLL search order hijacking / side-loading
• Persistence: Registry Run key
• Command & Control: Beaconing to external infrastructure
• Impact / Objectives: RAT enablement → data theft, movement, disruption

Even if your tooling doesn’t label it exactly the same way, the behavioral sequence is the key:
trusted app starts → suspicious DLL load → python dropped/started → encoded in-memory execution → outbound connections

Defensive Playbook: What CISOs Should Do This Quarter

1) Social media security awareness (specific, not generic)

Most awareness programs focus on email. This campaign demands DM-specific training:

• Treat “files sent in DMs” like unknown email attachments
• Ban execution of SFX / EXE / archive content received via social platforms
• Create a frictionless reporting path (“Forward the profile + message screenshot”)

Extra improvement: explain why the message is suspicious, not only “don’t click.”
Research suggests explainable warnings improve user decision-making vs generic warnings.

2) Reduce the blast radius: execution controls over “blocking tools”

You can’t simply block Python, WinRAR, or PDF readers across a business. But you can prevent abuse:

• Block execution from user-writable locations (Downloads, Temp, AppData)
• Enforce application allowlisting (WDAC/AppLocker) for portable interpreters
• Deny/alert on unexpected python.exe launches on non-dev endpoints
• Alert on new Registry Run keys containing encoded commands

3) Hunt for the chain (practical detection ideas)

SOC teams should create detections/hunts for:

• A PDF reader process loading a DLL from its working directory (especially unsigned/unexpected DLLs)
• Creation of new Run keys shortly after archive execution
• Portable interpreter drops (Python execution from unusual folders)
• Base64-like execution patterns tied to scripting engines
• New outbound connections after “document open” activity

Even without perfect signatures, chaining weak signals often yields high confidence.

What This Means for Your Organization (Risk view)

If this intrusion succeeds, the risk is not “a clicked message”-it’s persistent remote control:

• Credential theft and privilege escalation
• Lateral movement into file shares, AD, backup systems
• Silent exfiltration (IP, contracts, customer datasets)
• A delayed ransomware event after weeks of preparation

This is why social media must be treated as an enterprise attack surface, not merely a communications platform.