Researchers say attackers are shifting phishing activity to social platforms as email defenses improve.
Researchers disclosed a phishing campaign that used LinkedIn direct messages to target selected corporate executives and IT administrators, prompting them to download malicious files. According to Cybernews, the messages directed recipients to download a WinRAR self-extracting archive, a compressed file packaged as a standalone executable that automatically extracts and runs its contents when opened. The archive unpacked both legitimate software and a hidden malicious component. The campaign relied on trusted-looking filenames and social media context to persuade targets to open the files.
The archive delivered a legitimate PDF reader alongside a malicious dynamic link library, a supporting code file designed to be loaded by another program, and a portable Python interpreter. When the victim opened the reader, the malicious library executed through DLL sideloading, a technique that exploits how Windows searches for required libraries and causes the attacker’s file to be loaded instead of the intended one. The approach allowed the attacker’s code to run under the cover of a trusted application. The malware then created a registry entry to maintain persistence and executed an open-source penetration testing script directly in memory after encoding it, which reduced the chance of detection. Researchers observed repeated outbound connections consistent with remote access tooling, suggesting the goal was long-term access rather than a one-time data grab.
Researchers said the phishing campaign stood out for combining social media delivery with widely trusted open-source tools, lowering technical barriers while increasing the chance that targets would open the files. Analysts noted that filenames were tailored to a recipient’s role or industry, making the downloads appear routine and contextually relevant.
LinkedIn said it continues to identify and disrupt scams operating on the platform and urged users to report suspicious activity. In a statement cited by Cybernews in January 2026, the company said, “Our teams and technology work behind the scenes to spot and stop most scams before they even reach our members and customers. If they do come across anything suspicious, we encourage them to report it and provide resources in our Help Center about identifying fraudulent messages and guidance on what to do if a malicious link is clicked.”
LinkedIn has repeatedly been used as an entry point for targeted attacks rather than mass phishing. The Hacker News noted that several North Korean threat groups have relied on LinkedIn outreach as part of long-running campaigns, including CryptoCore and Contagious Interview. In those cases, attackers posed as recruiters, approached victims with fake job opportunities, and persuaded them to run malicious code under the guise of an interview task or technical assessment.
Researchers also documented a separate LinkedIn-themed phishing campaign in March 2025 that abused InMail-style notifications. The messages prompted recipients to click buttons labeled “Read More” or “Reply To,” which led to the download of legitimate remote desktop software from ConnectWise. Once installed, the tool gave attackers full remote access to the victim’s system. Analysts said the approach worked because the activity looked like normal professional communication and relied on trusted platforms and software rather than obvious malware.
Threat researchers have documented a steady move away from email toward alternative channels for initial access. The 2024 Verizon Data Breach Investigations Report found that phishing remains a primary access vector, with attackers alternatively using messaging platforms and social networks where security controls and user awareness are less mature. The report noted that credential theft and malware delivery often begin in trusted-looking conversations rather than mass email campaigns, especially when targeting senior staff.
Email filtering has improved, while social media messages often receive less scrutiny and fewer technical controls in corporate environments.
It is a compressed file that automatically unpacks its contents when opened, allowing attackers to deliver multiple components in a single download.
It allows malicious code to load alongside a legitimate program, making execution appear normal and reducing detection by security tools.
They often have higher access, sensitive information, and broad visibility across systems, which increases the value of a successful compromise.
They can include social media in security training, restrict software downloads, monitor for unusual process behavior, and encourage reporting of unexpected direct messages.