Editor’s note: This report was authored by Emily Jia.

Key Points

We investigated a phishing campaign that exploited social media private messages to deliver weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script—likely to deploy a remote access trojan (RAT).

This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems. Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data.

To mitigate these threats, organizations should implement social media-specific security awareness training to help employees identify phishing attempts and avoid risky downloads.

The ReliaQuest Threat Research team recently investigated a phishing campaign that exploits social media private messages to deliver malicious payloads. Central to this campaign is an unusual tactic: the execution of an open-source, Python pen-testing script that our team had not observed in similar attacks before.

What makes this campaign particularly concerning is its strategic use of social media’s credibility, combined with the weaponization of legitimate open-source tools. This combination not only lowers the technical barrier for attackers but also boosts their odds of success.

This campaign serves as a reminder that phishing isn’t confined to email inboxes. Phishing attacks take place over alternative channels like social media, search engines, and messaging apps—platforms that many organizations still overlook in their security strategies. Social media platforms, especially those frequently accessed on corporate devices, provide attackers with direct access to high-value targets like executives and IT administrators, making them invaluable to cybercriminals.

In this report, we’ll explore:

  • How an attack plays out, from the initial phishing message to the execution of an open-source pen-testing script.

  • Why social media platforms are an attractive, yet often overlooked, attack surface for cybercriminals.

  • Key examples of recent campaigns that delivered remote access trojans (RATs) through social media phishing—and what they mean for your organization.

  • Actionable strategies to protect your organization from similar threats and what to anticipate in the future.

The Anatomy of an Attack: Breaking Down the Methodology

In this section, we dive into the mechanics of a phishing campaign conducted through the social media platform LinkedIn. Attackers targeted high-value individuals with precision, then used trusted open-source tools to bypass detection and achieve persistent access.

In this particular campaign, attackers abused LinkedIn’s professional context to establish trust and familiarity, increasing their chances of success by targeting high-value individuals in corporate environments. This tactic, however, could be applied to any social media platform commonly accessed on business devices.

Initial Access

The attack began with a phishing message sent via LinkedIn, containing a link to download a malicious WinRAR self-extracting archive (SFX). Once executed, the archive extracts:

  • A legitimate open-source PDF reader application.

  • A malicious DLL file, disguised to share the same name as a benign file used by the PDF reader.

  • A portable executable (PE) of Python interpreter.

  • A RAR file (likely acting as a decoy—a common tactic in DLL sideloading to make the folder appear legitimate).

The file names are carefully crafted to align with the recipient’s role or industry, such as “Upcoming_Products.pdf” or “Project_Execution_Plan.exe.” This builds credibility and increases the likelihood that the targeted individual will interact with the file.

Execution via DLL Sideloading

Once the victim launches the extracted PDF reader, the malicious DLL exploits DLL sideloading, a technique in which attackers place their malicious DLL in the same directory as a legitimate application to complicate detection.

The PDF reader prioritizes loading DLL files from its local directory before checking the system directory, allowing the attacker’s DLL to execute under the PDF reader’s trusted process. This approach:

  • Evades detection by endpoint security tools.

  • Masks malicious intent by leveraging legitimate processes.

Exploiting a trusted application blurs the line between legitimate and malicious activity, complicating detection and response for security teams and increasing the possibility of prolonged compromise.

Persistence and C2

After execution, the malicious DLL performs two key actions:

  • Drops the Python interpreter onto the system.

  • Creates a persistent registry Run key with embedded Python code, ensuring the interpreter runs automatically on every login.

The Python interpreter executes an open-source shellcode runner script, encoded in Base64. This script is decoded in-memory using Python’s exec() function, allowing attackers to:

  • Avoid creating disk-based artifacts, bypassing traditional antivirus tools.

  • Allocate memory, inject the final payload, and execute it.

Observed command-control (C2) activity during our analysis showed frequent attempts to contact a C2 server—behavior commonly associated with RATs—indicating their likely deployment.

. This would grant attackers:

  • Persistent access to the compromised system.

  • The ability to exfiltrate data, escalate privileges, and move laterally within the network.

These tactics amplify the risk of long-term compromise, enabling attackers to silently prepare for further malicious actions. A successful RAT deployment could result in severe consequences, including intellectual property theft, data breaches, operational disruption, and reputational damage.

Lowering the Barrier to Cybercrime with Open-Source Tools and Trusted Platforms

This campaign is another example of how cybercriminals can execute effective campaigns with minimal resources by exploiting legitimate tools. In this campaign, attackers used WinRAR and Python, but similar tactics could extend to other widely used tools, such as PowerShell. These tools are integral to daily operations, making it impractical for organizations to block them entirely. This highlights the ongoing challenge of distinguishing between legitimate activity and malicious behavior, leaving organizations vulnerable to similar attacks.

What’s more, as organizations increasingly rely on social media platforms[i] for business and marketing purposes, these channels create new attack surfaces. Employees managing corporate social media accounts or engaging on these platforms are exposed to phishing attempts in environments with minimal security controls.

The broader lesson is that organizations must adopt holistic strategies that address both technical vulnerabilities and human factors.

How Open-Source Tools Are Reinvented as Threat Vectors

A critical element of this attack was the use of a legitimate, open-source Python script designed for pen-testing. Relying on publicly available tools means less effort for attackers and allows them to reduce costs and detection risks—all while lowering the technical barrier to entry. Here’s why this approach is so effective:

Evasion Through Trust: Open-source tools, widely used and trusted by security teams, often fly under the radar during automated scans or signature-based detection. This trust makes them ideal candidates for abuse.

Operational Efficiency: Using prebuilt pen-testing scripts eliminates the need for custom malware development. Attackers save time while benefiting from the reliability of proven code.

Attribution Challenges: Open-source scripts are accessible to anyone, making it difficult to trace attacks back to specific actors. In this case, the attacker used the script directly from its public repository, without modifications, further complicating attribution.

Why Are Social Media Platforms an Easy Win?

While open-source tools offer attackers a low-effort, high-impact approach, social media platforms add another layer of opportunity. In this section, we examine four key reasons why social media is an attractive attack vector for threat actors—and why these platforms present a growing security challenge that organizations can’t afford to overlook.

Exploiting user trust: With billions of social media users worldwide spending hours on these platforms daily, they have become integral to personal and professional lives. For businesses, certain social media platforms foster a sense of legitimacy and trust, as users often engage with individuals who appear relevant to their industry or role. This built-in trust makes social media platforms ideal for spearphishing campaigns, where attackers exploit employees’ familiarity with these platforms. When users let their guard down, they’re more likely to engage with malicious messages or download harmful files, especially in professional contexts where such interactions appear routine.

Bypassing traditional email security: Email security tools, including spam filters and phishing-detection systems, are limited to email inboxes. That means private messages on social media platforms completely sidestep these tools. Security teams have no visibility into these communications, creating blind spots that leave organizations reliant on employees’ judgment to identify and report phishing attempts.

Targeting high-value targets with precision: Social media is a goldmine for reconnaissance. On business-oriented platforms, threat actors can easily identify individuals with privileged access—ranging from technical staff to executives—simply by searching for and reviewing job titles and descriptions. LinkedIn alone boasts 65 million decision-makers and 10 million C-Level executives, providing attackers with ample opportunities to pinpoint high-value targets. These platforms also offer insights into a target’s role, employer, and industry, enabling attackers to craft convincing phishing messages and name malicious files in ways that appear legitimate and relevant to the recipient’s work—greatly increasing the chances of success.

Lessons from the Past: Previous Social Media–Based RAT Campaigns

Past campaigns demonstrate the diverse threats posed by phishing messages on social media platforms and their effectiveness as vectors for deploying RATs. Unlike typical phishing attacks, RATs give attackers persistent, interactive control over compromised systems, allowing them to exfiltrate sensitive data, escalate privileges, and conduct long-term malicious operations while remaining undetected.

For example, attackers have made fake accounts to send spoofed direct messages (DMs), delivering legitimate remote-access tools to gain full remote control of victim’s devices. Financially motivated threat actors “FIN6” and “Cobalt Group” have used social media spearphishing campaigns to distribute the “More_eggs” backdoor by embedding malicious resumes and ZIP files into their attacks. In another case, North Korean advanced persistent threat (APT) group “Lazarus” claimed responsibility for “Operation Dangerous Password” (aka “CryptoCore”), where threat actors targeted crypto-exchange companies in Israel, the US, Europe, and Japan through malicious private messages, ultimately stealing hundreds of millions of dollars in cryptocurrency wallets.

These cases show how threat actors refine and reapply their tactics across campaigns, leveraging the trust inherent in social media platforms to target high-value individuals with precision. The ease of creating fake accounts, combined with the wealth of personal and professional information available on social media, makes these platforms a dangerous and increasingly attractive vector for initial access. For security teams, understanding the tactics in these campaigns is critical to preventing future attacks, as the same methods can be easily adapted to target a wide range of industries and organizations.

Step Up Your Defenses Against Social Media Phishing Attacks

ReliaQuest’s Approach

ReliaQuest GreyMatter equips security teams with a comprehensive suite of tools to quickly detect, contain, investigate, and respond to threats like those outlined in this report, including:

GreyMatter Transit: Private messages may fall outside traditional email security tools, but GreyMatter Transit provides visibility into threats once a phishing link is clicked. By analyzing data in motion, it speeds up detection, reduces storage costs, and streamlines response to mitigate threats like RAT deployments.

Agentic AI: ReliaQuest detection rules cover the techniques described typically associated with attacks like the one in this report and, when combined with GreyMatter’s agentic AI, enable organizations to rapidly detect, contain, and respond to such attacks within minutes. This automation eliminates the delays associated with manual analysis, significantly improving response times and minimizing impact.

Detection Rules: Tailored to alert your organization to malicious activities like privilege escalation or persistence. These rules help spot unauthorized or anomalous behavior, including attempts to exploit legitimate applications and processes. Detection rules work together with GreyMatter Automated Response Playbooks, which allow security teams to rapidly contain threats. When entire attack chains like these can execute in under an hour, cutting down mean time to contain (MTTC) to minutes is key in helping organizations substantially minimize the impact of an attack. For example:

  • Isolate Host: Swiftly isolates the host from the network when hosts are detected establishing persistence mechanisms or executing suspicious processes. This action prevents C2 communication and lateral movement.

  • Terminate Sessions: Immediately revokes attackers’ access by invalidating stolen credentials and ending all active user sessions.

  • Disable User: Automatically disables compromised user accounts to halt unauthorized activity and prevent further damage.

Your Action Plan

The lack of visibility for security teams into social media private messages means a defense-in-depth security strategy is foundational for preventing serious damage occurring from RAT delivery via phishing. To best protect your organization from the threats we detailed in this report, implement the following actionable strategies:

  • Conduct social mediaspecific security awareness training that instructs users to treat downloads from social platforms with the same skepticism as email. Train employees to recognize dangerous file types (especially .exe files and executable archives) and establish clear guidelines requiring IT verification before executing any suspicious files. Implement incident reporting pathways for suspicious private messages and conduct phishing simulations to test employee awareness.

  • Conduct an audit of personal account access from corporate devices. This campaign demonstrates that the inherent trust in social media platforms creates a significant attack surface when accessed from work devices. Implementing controls that restrict file downloads from social platforms to sensitive locations like shared file storage solutions, or preventing execution of downloaded files, can prevent initial payload delivery. Additionally, monitor cross-platform file transfers and flag when files downloaded from social media messages are moved to execution-vulnerable directories.

  • Limit Python usage to only those who need it, such as developers. Given the attackers’ use of a portable Python interpreter to execute malicious scripts, block unauthorized Python executables and portable interpreters using application control policies and monitor endpoints for unusual Python activity—especially processes executing Base64-encoded scripts or running from unexpected directories.

Key Takeaways and What’s Next

Social media platforms commonly used by businesses represent a gap in most organizations' security posture. Unlike email, where organizations tend to have security monitoring tools, social media private messages lack visibility and security controls, making them an attractive delivery channel for phishing campaigns. RAT deployment through social media—as evidenced in this campaign—is particularly dangerous because it grants attackers long-term access for privilege escalation, lateral movement, and data theft. Organizations must recognize social media as a critical attack surface for initial access and extend their defenses beyond email-centric controls.

Looking Ahead

Social media platforms will likely see increased targeting. As security solutions continue to advance, the cost and complexity of successful email-based attacks will also increase. However, social media offers a lower-friction alternative: It's accessed from corporate devices, trusted by users, and lacks equivalent security infrastructure. This disparity in security maturity makes social media an ideal attack vector for threat actors, and it’s likely that they will shift more campaigns to social media platforms in the next 12–24 months, as attackers weigh the relative risk-reward of targeting these channels.

Furthermore, attack sophistication will highly likely remain modest, continuing to rely on legitimate tools and social engineering. This campaign demonstrates that effective attacks don't require custom malware or advanced capabilities to achieve their objectives—just open-source tools and trusted delivery mechanisms. As more attackers recognize this model works, we'll likely see increased adoption of these simpler, more scalable techniques in the coming 12–24 months rather than escalation to more complex methods.

To address these evolving threats, organizations must treat social media platforms as an integral part of their attack surface and adopt a proactive, defense-in-depth approach. By combining employee training, advanced detection tools, and strict platform usage policies, they can mitigate the risks and stay ahead of emerging tactics.