Full Report
Cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads, likely with the intent to deploy a remote access trojan (RAT). The activity delivers "weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script," ReliaQuest said in a report shared with
Analysis Summary
# Tool/Technique: DLL Sideloading Campaign Deploying RAT via Social Media Lures
## Overview
This describes a sophisticated phishing campaign utilizing social media private messages (specifically targeting high-value individuals on LinkedIn) to deliver a multi-stage payload. The initial delivery mechanism involves a malicious **WinRAR Self-Extracting Archive (SFX)** that deploys a legitimate PDF reader, a malicious DLL, a Python interpreter, and a decoy file. The core technique relies on **DLL sideloading** to execute the malicious component under the guise of a trusted application, ultimately leading to the deployment of a Remote Access Trojan (RAT).
## Technical Details
- Type: Technique / Infection Chain delivering RAT payload
- Platform: Windows (implied by DLLs, PE, and Registry Keys)
- Capabilities: Initial Access via social engineering, execution via sideloading, persistence established via Registry, in-memory execution to evade disk-based forensics, and establishment of C2 communication for remote access.
- First Seen: Recent (implied by the January 2026 report date).
## MITRE ATT&CK Mapping
The activity maps primarily to initial access and defense evasion techniques, leading to command and control.
- **TA0001 - Initial Access**
- **T1566.002 - Phishing: Spearphishing Link** (Via malicious links in DMs, though the payload is delivered via attachment/archive)
- **T1566.001 - Phishing: Spearphishing Attachment** (The SFX archive acts as the initial lure)
- *Note: Social media DM exploitation often overlaps with broader phishing T1566.*
- **TA0005 - Defense Evasion**
- **T1574 - Hijack Execution Flow**
- **T1574.001 - DLL Side-Loading**
- **TA0003 - Persistence**
- **T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder**
- **TA0011 - Command and Control**
- **T1071.001 - Application Layer Protocol: Web Protocols** (Implied by C2 communication for RAT functionality)
## Functionality
### Core Capabilities
* **Initial Access:** Delivery via social media private messages using deceptive lures within a malicious WinRAR SFX archive.
* **Execution Chaining:** The SFX extracts components: PDF Reader (legitimate), Malicious DLL, Python interpreter (PE), and Decoy RAR file.
* **Evasion:** The legitimate PDF reader loads the malicious DLL (DLL Sideloading), bypassing initial application trust checks.
* **Staging:** The sideloaded DLL drops the portable Python interpreter.
* **Persistence:** A Windows Registry Run key is created to ensure the Python interpreter executes automatically upon every login.
* **Payload Delivery:** The Python interpreter executes **Base64-encoded open-source shellcode** directly in memory.
### Advanced Features
* **In-Memory Execution:** Direct execution of shellcode from memory avoids writing the primary malicious components to disk, hindering traditional forensic analysis.
* **Abuse of Legitimate Tools:** Combination of a legitimate third-party application (PDF reader) and an open-source penetration testing script (Python interpreter) to mask malicious intent.
* **Stealthy Access:** The final stage establishes communication with an external server to grant persistent remote access and data exfiltration capabilities (RAT functionality).
## Indicators of Compromise
*Note: Specific file hashes, IP addresses, or domains were not provided in the text and must be identified during analysis.*
- File Hashes: [Not specified in the text]
- File Names:
- WinRAR Self-Extracting Archive (SFX)
- Legitimate open-source PDF reader application
- Malicious DLL (sideloaded component)
- Portable executable (PE) of the Python interpreter
- Decoy RAR file
- Registry Keys:
- Windows Registry Run key established for Python interpreter persistence.
- Network Indicators:
- External server for C2 communication (Defanged example: `[hxxp]://malicious[.]domain[:port]/`)
- Behavioral Indicators:
- Execution of a legitimate application (PDF Reader) followed immediately by network connections from its child process or loaded modules that are not typical for the reader.
- Creation of an auto-run Registry key pointing to a non-standard executable path (Python interpreter).
- In-memory execution of Base64-encoded shellcode observed within the Python process space.
## Associated Threat Actors
The observed TTPs (abuse of LinkedIn for social engineering/recruitment scams) are historically associated with:
* North Korean threat actors (mentioned in the context of prior LinkedIn misuse, e.g., CryptoCore, Contagious Interview).
* The specific group behind this opportunistic campaign is not named, but it is described as broad and opportunistic.
## Detection Methods
- Signature-based detection: Signatures for known malicious DLLs or the specific Base64 shellcode pattern (if signatures exist for the utilized open-source shellcode).
- Behavioral detection: Monitoring for the creation of new persistence mechanisms (Registry Run keys) pointing to non-standard application deployments. Monitoring processes that load known legitimate DLLs alongside newly created or renamed suspicious DLLs.
- YARA rules: Rules targeting the specific structure or content of the dropped Python components or the extracted shellcode.
## Mitigation Strategies
- Prevention measures: User training emphasizing that sensitive files should not be downloaded or executed from unsolicited social media messages, even from seemingly trusted contacts.
- Hardening recommendations: Implement application allow-listing where possible. Enforce strict controls over PowerShell/script execution environments. Enhance monitoring on endpoints to detect process injection or suspicious memory allocations associated with scripting engines (like Python). Disable execution of files from potentially untrusted network locations or user profiles if possible.
## Related Tools/Techniques
* **LOTUSLITE** and **PDFSIDER:** Other malware families documented recently to have leveraged DLL side-loading.
* **ConnectWise Control (ScreenConnect) Abuse:** Related social media phishing campaigns utilizing LinkedIn lures to deliver remote desktop software installers.
* **Information Stealers:** The final payload is described as a RAT, suggesting capabilities similar to commodity information stealers are present.