Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading

Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading

Cybersecurity researchers recently discovered a phishing campaign leveraging LinkedIn messages to deliver a remote access trojan (RAT). The attack chain utilizes DLL sideloading and WinRAR SFX files, combining legitimate open-source tools to evade detection.

Why This Matters

Ideal security models assume perimeter defense and signature-based detection. However, attackers increasingly exploit trusted software—like PDF readers—through DLL sideloading to bypass these defenses. The scale of potential damage from successful RAT infections, including data breaches and system compromise, can easily reach millions of dollars in remediation costs.

Key Insights

• DLL Sideloading Prevalence: Multiple campaigns utilizing DLL sideloading were observed in the past week, targeting malware families like LOTUSLITE and PDFSIDER (January 2026).
• Social Engineering Expansion: Phishing attacks are no longer confined to email; attackers are actively exploiting direct messaging on platforms like LinkedIn to increase success rates.
• Open-Source Tool Abuse: Attackers are weaponizing legitimate, open-source Python pen-testing scripts to further camouflage malicious activity.

Working Example

# Example of Base64 decoding used in the attack chain
import base64

encoded_payload = "SGVsbG8gV29ybGQh"  # Replace with actual Base64 encoded payload
decoded_payload = base64.b64decode(encoded_payload).decode('utf-8')
print(decoded_payload)

Practical Applications

• Use Case: Threat actors target high-value individuals on LinkedIn, establishing trust via initial contact before delivering malicious WinRAR archives.
• Pitfall: Relying solely on email-based security controls creates a blind spot, as social media platforms are often less monitored and offer a different attack surface.

References:

• https://thehackernews.com/2026/01/hackers-use-linkedin-messages-to-spread.html