Hackers are quietly turning LinkedIn’s private messaging system into a delivery channel for remote access trojans, hiding their code behind seemingly legitimate files and abusing DLL sideloading to slip past defenses. Instead of crude spam blasts, the attackers are crafting targeted approaches that look like routine networking outreach, then using that trust to convince professionals to run booby‑trapped installers on corporate laptops. The result is a social engineering campaign that fuses classic phishing with a technical trick that many endpoint tools still struggle to catch.
At the center of the operation is a remote access tool, or RAT, that gives intruders persistent control of a victim’s machine once a rogue DLL is sideloaded by a trusted‑looking executable. Cybersecurity researchers, including analyst Ravie Lakshmanan, describe a campaign that leans on social media’s private channels to get that first malicious file onto a target system, then relies on Windows’ own loading behavior to execute a hidden payload. I see this as part of a broader shift in which professional networks, once treated as relatively safe, are now fully integrated into attackers’ playbooks.
How LinkedIn messages became a RAT delivery channel
The core of the campaign is simple: attackers send tailored LinkedIn messages that look like job offers, partnership proposals, or document shares, then attach or link to an installer that appears benign but is designed to trigger DLL sideloading. Once the victim runs the file, a legitimate‑looking executable loads a malicious library with the same name as a trusted DLL, giving the intruder a foothold to spread RAT malware without immediately tripping alarms. The social engineering is subtle enough that many recipients treat these messages as routine business correspondence rather than high‑risk phishing.
Researchers who analyzed the operation describe how the attackers rely on a trusted‑looking application to cause a rogue DLL to be sideloaded, which then deploys the RAT and establishes command‑and‑control. Because the executable itself may be a legitimate or convincingly forged tool, traditional signature‑based defenses can miss the threat, especially if the DLL is obfuscated or packed. I read this as a deliberate attempt to exploit the gap between user trust in LinkedIn as a professional space and the technical blind spots in how many organizations monitor social‑originated downloads.
Open‑source pen‑testing tools turned against business executives
In parallel with the RAT campaign, attackers are also abusing open‑source penetration testing frameworks to compromise senior staff, particularly executives who are active on LinkedIn. A separate operation has been documented in which a Linkedin Phishing Campaign tools that were originally built for ethical hacking, repackaging them into malicious payloads delivered through connection requests and follow‑up messages. The targets are not random users but business leaders whose accounts can be leveraged for further fraud once compromised.
According to detailed write‑ups, the same campaign is described as using a Source Pen Testing to Compromise Business Execs through a link that is explicitly designed to infect their devices. I see this as a reminder that the line between security research tools and offensive malware is thin: once code is public, threat actors can adapt it, wrap it in social engineering, and deploy it at scale against exactly the people whose accounts carry the most influence and access.
From private messages to comments: a broader LinkedIn threat surface
The RAT and pen‑testing campaigns are not isolated anomalies, they sit on top of a broader pattern of abuse that has turned LinkedIn into a favored hunting ground for phishing and malware. LinkedIn’s own security research on Phishing Attacks and Infostealer Malware notes that the platform is a prime target for campaigns that aim to harvest credentials and session tokens, which can then be used to impersonate professionals or pivot into corporate systems. When those same channels are used to deliver RATs or weaponized pen‑testing tools, the risk shifts from account takeover to full endpoint compromise.
Attackers are also moving beyond private messages into public spaces like comments, where malicious links can reach far more people with less effort. Reporting on how Hackers Are Spreading describes bot‑like activity from LinkedIn‑themed profiles that flood posts with replies containing malicious URLs. Another analysis warns that Phishing has made it into LinkedIn comments, with experts urging users to scrutinize any link that appears under a post, even if it seems to come from a familiar brand. I see the message layer and the comment layer as two sides of the same coin: one enables precise targeting, the other broad reach, and both are now being systematically exploited.
Why DLL sideloading keeps working for attackers
DLL sideloading is not a new technique, but it remains effective because it abuses how Windows applications search for and load libraries, often prioritizing local directories over system paths. In the LinkedIn RAT campaign, the attackers package a legitimate‑looking executable alongside a malicious DLL with the same name as a trusted component, then rely on the operating system to load the attacker’s file first. Once that happens, the RAT can Spread RAT Malware while the user sees only a normal application window.
From my perspective, the persistence of this method reflects a structural problem: many organizations still treat DLL sideloading as a niche red‑team tactic rather than a mainstream criminal tool, so their monitoring and application control policies lag behind. The LinkedIn campaign documented by Cybersecurity researchers shows that attackers are comfortable combining this technique with social engineering at scale, not just in targeted espionage. Until defenders treat any untrusted installer delivered through social channels as a high‑risk object, DLL sideloading will remain a reliable way to sneak RATs into corporate environments.
What professionals and security teams should do next
For individual LinkedIn users, especially those in leadership roles, the first line of defense is behavioral: treat unsolicited files and links in private messages with the same suspicion you would apply to random email attachments. If a recruiter, vendor, or contact sends an installer or archive, verify their identity through a separate channel and insist on downloading software only from official vendor sites, not from links embedded in Messages. I also recommend treating any request to disable antivirus, run macros, or bypass SmartScreen as an immediate red flag.
Security teams, meanwhile, need to assume that social platforms are part of the corporate attack surface and tune their controls accordingly. That means tightening application whitelisting so that only vetted executables can load DLLs from local directories, monitoring for anomalous library loads that match patterns seen in Spread RAT Malware, and educating staff about the specific risks of LinkedIn‑delivered installers. Given that attackers are also abusing comment threads, I would add explicit guidance to avoid clicking links in replies, echoing the warnings that Over the past days and News reports have highlighted. The more organizations normalize the idea that professional networks are contested space, the harder it becomes for attackers to turn casual networking into a RAT infection vector.
