LinkedIn becomes a 'weapon': Hackers quietly spread malware through private messages
A LinkedIn private message attack campaign was recently reported to have a significant impact on business systems and users worldwide.
Overview
In recent years, email has still been considered the most common channel for spreading malware and scams. However, the cybersecurity landscape is gradually changing. Hacker groups today are no longer limited to email but are shifting to professional social media platforms, with LinkedIn emerging as a new potential target.
As a social network for work, recruitment, and professional connections, LinkedIn creates a much higher level of trust compared to traditional communication channels. Hackers have exploited this factor thoroughly. Instead of sending easily detected phishing emails, attackers use Direct Messages, impersonating recruiters, partners, or colleagues to approach victims more naturally and less suspiciously.
Essentially, this campaign is phishing - a trick that makes victims believe that the message or attachment is legitimate and trustworthy, then installs malware on their computers.
Level of Danger and Scope of Impact
This campaign is considered highly dangerous because:
It doesn't require exploiting technical vulnerabilities, making it very hard for traditional antivirus software to detect
It operates through direct messages on social media (which are less monitored than email)
It can install RAT, allowing hackers to monitor, control, and steal data
Victims come from various industries and regions, indicating that this is a widespread, opportunistic campaign.
Attack Mechanism
As mentioned, the campaign begins with attackers using private messages on LinkedIn (LinkedIn DM) to reach victims. The message content is usually professional, such as recruitment invitations, collaboration proposals, or sharing work-related documents. The key point is that LinkedIn is a highly trusted platform in the business environment, so users are less suspicious and more likely to interact, allowing the bypass of traditional email protection layers (spam filter, secure email gateway).
The messages always include malicious attachments disguised as legitimate files (PDF, resume, proposal, etc.). Inside these malicious files (RAR SFX or ZIP), you will often find:
A legitimate PDF reader application (signed binary).
A malicious DLL with the same name as the library that the PDF application will automatically load.
A legitimate Python interpreter.
A "decoy" document to distract the user.
The goal of this stage is to initially create a sense of security, making the user believe they are opening a regular document. When the user executes and opens the PDF application:
Windows will search for the necessary DLL according to the execution directory priority order.
The malicious DLL (placed in the same directory) will be loaded instead of the legitimate DLL.
This is considered a DLL sideloading technique:
No need to exploit vulnerabilities.
No need for admin rights.
Takes advantage of Windows' default behavior.
According to reports, the malicious DLL, once loaded, will call the accompanying Python interpreter and execute embedded malicious scripts or download additional ones from the command-and-control server (C2). Using Python also provides several advantages for the attacker:
Easy to modify and update the payload.
Utilizes a legitimate runtime to avoid detection.
Flexible in deploying subsequent modules.
Any malware distribution campaign requires a maintenance stage, and this campaign is no different. The malware will create a Registry Run Key or another auto-start mechanism to ensure the payload is executed each time the user logs in or starts the machine. This allows the hacker to maintain persistent access without needing to interact with the victim again.
In the final stage, the infected system will:
Connect to the hacker's Command-and-Control server.
Allow the attacker to:
Gather system information,
Download additional malware,
Perform remote control,
Prepare for further attacks (lateral movement, data exfiltration, ransomware…).
Conclusion
The malware distribution campaign through LinkedIn messages highlights a worrying reality: the line between professional communication and cyber attack surfaces is increasingly blurred. As platforms like LinkedIn become everyday work tools, the default trust of users is exploited by hackers as a strategic weakness.
The combination of sophisticated techniques like DLL sideloading, using legitimate software, and "non-traditional" distribution channels allows malware to easily bypass many existing defenses. This not only increases the risk of infection but also paves the way for deeper intrusions, seriously affecting data, systems, and the reputation of businesses.
In the context of increasingly sophisticated and flexible attacks, the human factor remains the first and most important line of defense. Only when users are vigilant, combined with appropriate technical measures, can organizations minimize risks from these stealthy and widespread attack campaigns.
Recommendations
Always be cautious with unexpected LinkedIn messages
Do not fully trust messages from strangers, even if their profiles look "professional."
Be especially careful with recruitment offers, collaborations, document sharing, or file download requests.
Do not download and open attachments without verification
Avoid opening compressed files (.zip, .rar), executable files, or documents marked as "urgent."
If verification is needed, contact through another channel (company email, official website).
Be wary of shortened links or links to unfamiliar platforms
Do not click on links if the destination is unclear or if there are signs of unusual redirection.
Carefully check the domain name before logging in or downloading documents.
Enable multi-factor authentication (MFA) for your LinkedIn account
MFA significantly reduces the risk of account takeover, even if the password is exposed.
Use strong passwords that are not reused across different services.
Regularly update your operating system and software
Always install the latest security patches for your operating system, browser, and applications.
Avoid using software from unknown sources or outdated versions.
Enhance personal security awareness
Equip yourself with basic knowledge about phishing and new scam techniques.
Remember: the more "professional" the platform, the easier it is for hackers to exploit trust.
MITRE ATT&CK Mapping
T1566.002 – Phishing via Social Media
T1204.002 – User Execution: Malicious File
T1574.002 – DLL Side-Loading
T1059.006 – Command and Scripting Interpreter: Python
T1071.001 – Application Layer Protocol: Web
