Cybercriminals no longer need emails to reach executives. They just need a convincing LinkedIn profile and a well-timed message. This is what ReliaQuest, a cybersecurity company, discovered earlier this week.
According to its threat research team, attackers are now focusing on senior, high-value targets on LinkedIn in order to entice them to click on malicious links.
How this attack works
This sophisticated phishing attack usually starts by sending victims what looks like a legitimate message on LinkedIn — something work-related that matches the job or industry of the target. Once trust is established, the attacker sends a link.
At first, the link looks harmless, but underneath it contains a malicious WinRAR self-extracting archive (SFX). After the victim clicks the link, it installs a real, open-source PDF reader. However, hidden inside that download is a malicious DLL file designed to blend in by using the same name as a legitimate component of the app.
The filenames are chosen carefully so they look legitimate and align with the victim’s role or industry, making the download seem safe. When the PDF reader is opened, the DLL file runs alongside it, quietly piggybacking on the trusted app using a technique known as DLL sideloading. This helps the malware slip past security tools, making the attack harder to detect.
Once the attackers get in, they don’t rush. They use widely available penetration-testing tools to quietly maintain access, giving them long-term control of the infected device. From there, they can siphon off data, expand their permissions, and move laterally across a company’s network without raising alarms.
ReliaQuest also noted that this isn’t the first time attackers have carried out similar campaigns using social media platforms.
“For example, attackers have created fake accounts to send spoofed direct messages (DMs), delivering legitimate remote-access tools to gain full control of victims’ devices. Financially motivated threat actors FIN6 and Cobalt Group have used social media spearphishing campaigns to distribute the More_eggs backdoor by embedding malicious resumes and ZIP files into their attacks. In another case, North Korean advanced persistent threat (APT) group Lazarus claimed responsibility for Operation Dangerous Password (also known as CryptoCore), targeting crypto exchange companies in Israel, the US, Europe, and Japan through malicious private messages, ultimately stealing hundreds of millions of dollars in cryptocurrency,” ReliaQuest said in a blog post.
How to protect yourself from these attacks
To reduce the risk of falling victim to this kind of campaign, ReliaQuest recommends that organisations treat social platforms like any other high-risk entry point. That includes training employees to question unexpected files or links sent through LinkedIn in the same way they would suspicious emails.
The company also advises organisations to review how personal social media accounts are used on corporate devices, which could help them implement controls to restrict or limit access to platforms that are not required for work.
These attacks highlight how social media has become part of the modern attack surface. Companies that recognise this shift — and plan accordingly — stand a far better chance of stopping these campaigns before a casual message turns into a costly breach.
David Adubiina
