Overview
- Attackers approach high-value targets on LinkedIn with role-themed lures before sending a link to a self-extracting archive.
- The archive installs a legitimate open-source PDF reader alongside a disguised DLL that is loaded through DLL sideloading.
- Once executed, the chain drops a portable Python interpreter, creates a Registry Run key for persistence, and runs Base64-encoded shellcode in memory.
- The final payload attempts to establish remote access and exfiltrate data, with activity observed across sectors and regions according to ReliaQuest.
- Researchers say measuring scale is difficult due to limited visibility into private messages and recommend social media–specific training, usage audits on corporate devices, and defense-in-depth controls.