Hackers Use LinkedIn Messages to Spread Remote Access Trojan (RAT) Malware Through DL Sideloader

Advisory ID: NCC-CSIRT-2026-001

Summary: 

Cybersecurity researchers have uncovered a significant phishing campaign that exploits private messages on LinkedIn to deliver a Remote Access Trojan (RAT) via Dynamic Link Library (DLL) sideloading. Attackers establish trust with targets, often “high-value” individuals such as executives and IT professionals, through LinkedIn direct messages and persuade them to download and execute a malicious self-extracting WinRAR archive. Once executed, the adversary uses DLL sideloading to execute malicious code in the context of a legitimate PDF reader application, leading to a persistent RAT implant that provides remote control and data exfiltration capabilities.

Damage/Probability: High/High

Product(s): 

• Microsoft Windows endpoints and servers
• WinRAR self-extracting archive tools used in delivery
• Legitimate PDF reader application used in the sideloading technique

Version(s): 

Affects systems where users execute malicious archives delivered via LinkedIn messages and where Windows DLL sideloading is possible (generic Windows; not version-specific).

Platform(s): 

• Windows corporate workstations
• Laptops
• Remote devices and unmanaged systems in enterprise environments across sectors, including technology, finance, and professional services.

Description: 

In the observed campaign, attackers contact victims via LinkedIn direct messages (DMs) under professional pretexts and entice them to download a WinRAR self-extracting archive (SFX). When executed, this archive unpacks multiple components, including:

• A legitimate open-source PDF reader,
• A malicious DLL placed for sideloading,
• A portable Python interpreter executable, and
• A decoy RAR file to distract or reassure the user. (TechBooky)

The attack exploits DLL sideloading, a Windows behavior where an application loads a DLL from its own directory before the system path, enabling a rogue DLL to execute code under the guise of a trusted application. When the PDF reader launches, it loads the malicious DLL, which then installs the bundled Python interpreter and creates a Windows Registry Run key to ensure the interpreter starts automatically at each user login. (TechBooky)

Once running, the Python interpreter decodes and executes Base64-encoded shellcode directly in memory, a technique that avoids writing additional malicious executables to disk and helps evade forensic detection. The final payload establishes a remote connection to attacker-controlled infrastructure, providing persistent remote access and control. (LinkedIn)

Security researchers have noted that multiple malware families (e.g., LOTUSLITE, PDFSIDER) have been delivered using similar DLL sideloading techniques in concurrent campaigns.

Threat Types: 

• Social media-based phishing for initial access (LinkedIn direct messages).
• DLL sideloading (defence evasion leveraging legitimate application).
• Remote Access Trojan (RAT) deployment for persistent remote control and data theft.
• Persistence via registry autorun key creation.

Impacts: 

• Attackers gain persistent interactive access to compromised hosts, enabling credential theft, system manipulation, and lateral movement across networks.
• RAT malware may steal sensitive information, including intellectual property and personal data.
• Use of DLL sideloading hides malicious execution under the context of a trusted process, complicating detection by traditional endpoint security tools.
• Social media private messaging becomes a significant vector outside traditional email security controls.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Block access to known malicious domains and links distributed via LinkedIn DMs.
• Quarantine affected systems and perform full malware scans using up-to-date signatures.
• Remove unauthorized Registry Run keys and Python interpreter instances established by the attack.
• Update endpoint protection to include heuristics for DLL sideloading behavior and unusual interpreter executions.
• Enforce application allow-listing to restrict execution of unknown or unapproved software.
• Conduct phishing simulations, including social media scenarios, to increase employee awareness of non-email phishing vectors.
• Recognize LinkedIn and other social platforms as potential attack vectors, not just email, and expand monitoring accordingly.
• Educate staff on social engineering risks inherent in professional networking platforms.
• Integrate DLL sideloading and interpreter execution detection into SOC and SIEM rules.
• Implement multi-layered endpoint controls, including application allow-listing, script blocking, and EDR with behavioral analysis.
• Block delivery domains and suspicious WinRAR SFX files; isolate hosts showing unusual DLL loads.
• Deploy endpoint rules to detect sideloaded DLLs and unauthorized interpreter execution.
• Expand phishing training beyond email to include social media threats; adopt zero-trust policies for endpoint execution.

References:

• https://thehackernews.com/2026/01/hackers-use-linkedin-messages-to-spread.html

• https://cybernews.com/security/linkedin-phishing-campaign-targets-execs-weaponized-files/

• https://www.scworld.com/news/phishing-campaign-exploits-linkedin-messages-via-dll-sideloading

• https://www.linkedin.com/posts/david-sehyeon-baek-5a96a9109_cybersecurity-phishing-linkedin-activity-7419526336001568768-3dX3/

• https://www.techbooky.com/how-hackers-spread-rat-malware-via-dll-sideloading-in-linkedin-messages/

• https://www.secnews.gr/684397/hackers-linkedin-rat-dll-sideloading/