Cybersecurity researchers have uncovered an increasingly sophisticated phishing campaign that leverages two seemingly innocuous technologies — open-source Python scripts and social media platforms — to bypass traditional defenses and deploy powerful remote access tools. This threat, documented in a Threat Spotlight report, underscores how adversaries are adapting their tactics to exploit trust, convenience, and ubiquitous software to infiltrate corporate environments with alarming stealth.

Beyond Email: Phishing Moves to Social Platforms

Traditionally, phishing attacks originate via email, where spam filters and security gateways provide a first line of defense. However, the ReliaQuest investigation reveals that attackers are now targeting social media private messages, particularly LinkedIn, to reach high-value individuals such as executives, IT administrators, and decision-makers.

Social media platforms offer several attractive advantages for attackers. Users generally trust communications received within a platform’s messaging system, and security teams often lack visibility into these messages — leaving a blind spot for malicious activity. Unlike email, these private messages are rarely scanned by enterprise security tools, meaning phishing links and file downloads can reach targets without triggering alarms.

The Attack Chain: How It Works

This campaign begins with a phishing message sent through a social media platform that contains a link to download a weaponized WinRAR self-extracting archive. To increase credibility, the attackers name these files based on the recipient’s role or industry — for example, Upcoming_Products.pdf or Project_Execution_Plan.exe.

Once the archive is executed, it unpacks several components:

• A legitimate open-source PDF reader application
• A malicious DLL file incorrectly named to resemble a trusted library
• A portable Python interpreter executable
• Additional files designed as decoys

The malicious DLL is loaded through DLL sideloading, a technique where a trusted application inadvertently runs attacker-controlled code because it loads libraries from its own directory before the system’s trusted paths. This makes detection much harder for security tools that focus on suspicious processes or unknown executables.

Once the malicious DLL executes, it writes the Python interpreter to the host, creates a persistent registry entry to ensure Python runs at each login, and uses it to decode and execute a Base64-encoded open-source shellcode runner script entirely in memory. This in-memory execution helps evade traditional antivirus solutions, which typically check for malicious files on disk.

Open-Source Tools as a Weapon

One of the most alarming aspects of this campaign is the use of legitimate, open-source Python scripts originally designed for pen-testing (i.e., tools intended for ethical security testing) to facilitate malicious goals. Because these scripts are publicly accessible and widely used, attackers can deploy them without writing custom malware — lowering their development effort and reducing detection risk.

Open-source tools also complicate attribution. Since the same codebase can be used by both defenders and attackers, traditional signatures and code-based forensics are less reliable. In this case, attackers did not significantly modify the script from the public repository, making it difficult for researchers to link the campaign to a specific threat actor.

Persistent Remote Access and the RAT Threat

After the Python script runs, it connects to a remote command-and-control (C2) server — behavior associated with Remote Access Trojans (RATs). A RAT can grant attackers interactive, persistent control over a compromised machine, enabling them to escalate privileges, move laterally across a network, exfiltrate data, or deploy additional malware.

This silent persistence is particularly dangerous because it allows attackers to entrench themselves in a victim’s environment long after the initial compromise. Many organizations focus on stopping the initial intrusion, but persistent RAT access often leads to far greater impacts — including intellectual property theft, data breaches, or ransomware deployment.

Why Social Media Phishing Is a Growing Concern

ReliaQuest’s analysis highlights four main reasons social media is becoming a favored attack vector:

1. User Trust: Messages on platforms like LinkedIn are often perceived as credible and relevant — especially if they appear to come from someone with industry or professional context.
2. Lack of Security Controls: Unlike email, most social platforms lack enterprise-grade phishing filters or threat-intelligence integration.
3. Precise Targeting: Attackers can easily identify and contact high-value targets based on publicly visible job titles and company affiliations.
4. Blind Spots for Defenders: Security teams often do not monitor or have visibility into social media private messages, leaving a gap for malicious messages to reach users unobstructed.

Mitigating the Threat

To defend against these evolving phishing tactics, the report emphasizes that organizations must broaden their security strategies beyond email. Awareness training should now include phishing attempts via social platforms, training users to treat downloads and external links — regardless of the source — with skepticism.

Technical controls like application policies to block unauthorized Python interpreters, content-filtering for downloads from social platforms, and extended monitoring solutions that can capture suspicious activity beyond traditional email infrastructure are also crucial.

Conclusion

The ReliaQuest investigation demonstrates that attackers are evolving rapidly, combining social engineering with creative abuse of open-source tools and trusted platforms. As phishing moves beyond the inbox and into social media, organizations must adapt their defenses to secure all digital touchpoints where trust can be exploited.