Phishing campaign exploits LinkedIn messages via DLL sideloading

A phishing campaign exploited private LinkedIn messages to deliver weaponized malware via dynamic link library (DLL) sideloading that let threat actors deploy a remote access trojan (RAT).

In a Jan. 20 blog post, ReliaQuest research said this approach let attackers use the familiar LinkedIn platform  to establish trust and familiarity, increasing their chances of success by targeting high-value individuals in corporate environments.

Security experts said teams need to understand this technique because attackers could apply this approach to any social media platform commonly accessed on business devices — not just on LinkedIn.

“When people think phishing, email is usually the first thing that comes to mind,” said Steven Swift, managing director at Suzu Labs. “But these days, people spend more time on all of their various social platforms than they do email. And they’re comfortable there, which leads to trust. Unfortunately, most of the security tools to protect phishing are email-focused. That doesn’t help us when phishing comes in through anywhere else.”

Mark Townsend, chief technology officer at AcceleTrex, explained that in this DLL sideloading campaign, the attackers send a LinkedIn message with a seemingly legitimate file bundle — often framed as a job‑related document. Inside that bundle are two things placed side‑by‑side: a legitimate, trusted application; and a malicious DLL disguised with the same name as a real one.

“When the user opens the trusted app, Windows naturally ‘waves it through’ — and in doing so, automatically loads the impostor DLL sitting next to it,” said Townsend. “That rogue DLL then quietly launches the attacker’s payload under the identity of a trusted program. In this campaign, a benign PDF reader is used to load the malicious DLL, which then establishes persistence and provides the attacker with access to your computer.”

Related reading:

Townsend added that LinkedIn gives adversaries a credibility boost: targets expect outreach from recruiters and industry contacts, and DMs often evade email security controls. Threat actors weaponize that trust with role‑relevant lures and tailored filenames, then deliver malicious archives that blend legitimate tools with malware, increasing click‑through rates among executives and IT admins.

“DLL sideloading is hard to spot because the attacker hides inside a trusted chauffeur’s car,” said Townsend.  

Nevan Beal, principal MDR analyst at Blackpoint Cyber, said DLL sideloading stays effective because it abuses normal Windows loading behavior which many legitimate application rely on for operation. Beal said the attacker does not need exploit wizardry as they just package a real application with a malicious DLL in a location this app will look first.

“When the app runs, it looks normal on the surface, but the payload loads quietly in the background like an uninvited guest who knows exactly where the door is,” said Beal. “LinkedIn changes the risk profile because it’s a trusted, professional channel where targets expect outreach and file sharing, and attackers can build credibility before delivering a payload.”

Beal added that security teams should watch for self-extracting archives that unpack multiple components, legitimate apps running from user-writable paths, and unusual DLL loads from the same directory as the executable. End users should also treat unsolicited LinkedIn files and installers as high risk, especially anything delivered as an SFX archive or asking them to open a bundled app, because professional networking should not require installing software.

This DLL sideloading case was the second security-related incident reported involving LinkedIn in the past week. On Jan. 14 SC Media Briefs reported that scammers had flooded LinkedIn posts with fake "reply" comments designed to impersonate the platform and trick users into visiting malicious external links. The deceptive messages warn users of bogus policy violations, the aim of which is to exploit the inherent trust professional users have with LinkedIn.