A new phishing campaign has been identified, utilizing private messages on social media platforms like LinkedIn to target high-value individuals. Researchers from ReliaQuest reported that the scheme aims to deploy a remote access trojan (RAT) through malicious payloads delivered via DLL sideloading, combined with a legitimate open-source Python pen-testing script.
The attack begins with messages designed to build trust and deceive recipients into downloading a malicious self-extracting archive (SFX) disguised as a legitimate PDF reader application. Upon execution, this archive extracts various components, including a rogue DLL that is sideloaded by the PDF reader, alongside a portable executable of the Python interpreter.
This method is increasingly used by cybercriminals to evade detection by exploiting legitimate processes. The DLL facilitates the installation of the Python interpreter, which then creates a Windows Registry Run key to ensure it runs at every system login. The interpreter executes Base64-encoded shellcode in memory, minimizing forensic traces. The final payload establishes communication with an external server, allowing attackers to maintain remote access and exfiltrate sensitive data.
ReliaQuest noted that this campaign is broad, affecting numerous sectors and regions, indicating that phishing attacks have evolved beyond email, utilizing alternative methods to exploit security vulnerabilities.