A Single Click on LinkedIn: Inside a Silent RAT Infection

Aegiron 9 mins0

Overview of the Incident

In January 2026, a targeted malware campaign was identified leveraging LinkedIn private messaging as the initial access vector. The attackers specifically targeted individuals whose roles typically grant access to sensitive information or internal systems. The campaign did not rely on software vulnerabilities or exploits. Instead, it abused user trust and standard Windows functionality to gain a foothold.

The end goal of the attack was persistent remote access through the deployment of Remote Access Trojans (RATs), enabling long-term surveillance and follow-on attacks.

Detailed Attack Flow

1. Reconnaissance and Target Selection

Attackers conducted reconnaissance directly on LinkedIn by:

  • Identifying users with titles such as CEO, CTO, recruiter, engineer, consultant, or advisor
  • Reviewing employment history, recent posts, and shared content
  • Crafting messages that aligned with the target’s professional background

The LinkedIn profiles used by attackers were often:

  • Aged accounts with activity history
  • Populated with real connections
  • Using stolen or AI-generated profile photos
  • Engaging in light conversation before sending files

This preparation significantly reduced suspicion.

2. Initial Access: Social Engineering via LinkedIn Messages

Victims received a direct message claiming to share:

  • Confidential job offers
  • Draft contracts
  • Investment or pitch documents
  • Technical specifications or shared project material

The message tone was professional and context-aware. In many cases, the attacker referenced the victim’s employer or role, making the request feel legitimate.

3. Malware Delivery: WinRAR Archive

The malicious payload was delivered as a RAR archive created using WinRAR. The archive contents were intentionally structured to look like a real document package.

Typical archive contents:

  • One executable file with a benign-looking name (e.g., related to documents or viewers)
  • One malicious DLL
  • Optional decoy documents (PDF, DOCX) to distract the user

The archive itself was not inherently malicious and passed through most security controls.

4. Execution Method: DLL Sideloading Abuse

When the user executed the included executable:

  • Windows searched for required DLLs in the local directory first
  • The malicious DLL was loaded instead of the legitimate system DLL
  • The executable continued to run normally, preventing user suspicion

This technique did not exploit a vulnerability. It abused Windows’ default DLL search order behavior, which is well-documented and widely used by attackers.

5. Payload Activation and Installation

Once loaded, the malicious DLL:

  • Decrypted an embedded RAT payload in memory
  • Injected code into the parent process or a trusted child process
  • Established persistence using one or more of the following:
    • Registry Run keys
    • Scheduled tasks
    • Startup folder shortcuts
    • User-level services (where permitted)

Some samples delayed execution to avoid sandbox detection.

6. Command-and-Control (C2) Communication

After installation:

  • The RAT initiated outbound connections to attacker-controlled infrastructure
  • Communication was typically encrypted or obfuscated
  • Beacon intervals ranged from minutes to hours

The malware blended into normal user traffic by:

  • Using standard HTTP or HTTPS
  • Mimicking browser user-agent strings
  • Avoiding high-frequency traffic spikes

Payload Capabilities

The RATs observed were modular and adaptable. Core functionality included:

  • Full remote shell access
  • File system enumeration and exfiltration
  • Screenshot capture and screen streaming
  • Keylogging and clipboard scraping
  • Credential harvesting from:
    • Browsers
    • Email clients
    • VPN software
  • Process listing and memory inspection
  • Deployment of secondary payloads
  • Network reconnaissance for lateral movement

In higher-value environments, attackers deployed additional tooling after initial access.

Impact Assessment

Systems Impacted

  • Windows workstations (user-level compromise)
  • Corporate laptops used remotely
  • Personal devices used for business access

Organizational Impact

  • Exposure of confidential business documents
  • Credential compromise enabling further intrusion
  • Increased risk of internal phishing and lateral movement
  • Potential access to cloud services and internal portals

The compromise often remained undetected for extended periods due to the stealthy nature of the attack.

Indicators of Compromise (IOCs)

File-Based IOCs

Suspicious File Characteristics

  • RAR archives containing:
    • .exe + .dll pairs
  • DLL names commonly observed:
    • version.dll
    • winmm.dll
    • dbghelp.dll
    • cryptbase.dll
    • msvcp140.dll
  • Executables launched from:
    • C:\Users\<user>\Downloads\
    • C:\Users\<user>\AppData\Local\Temp\
    • Archive extraction directories

File Behavior

  • Legitimate executables loading DLLs from the same directory
  • DLLs without valid digital signatures
  • Executables running without installer context

Registry-Based IOCs

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • Random or document-themed value names pointing to user directories

Process and Execution IOCs

  • Office-unrelated executables spawning:
    • cmd.exe
    • powershell.exe
    • rundll32.exe
  • Unusual parent-child relationships
  • Execution of signed binaries from non-standard locations

Network IOCs

Traffic Patterns

  • Outbound connections shortly after archive extraction
  • Encrypted HTTP/S traffic without visible browser activity
  • Periodic beaconing behavior

Infrastructure Characteristics

  • Recently registered domains
  • Domains mimicking business or cloud services
  • IP addresses hosted on VPS providers
  • Use of uncommon ports (e.g., 8080, 8443, 9001)

Detection Guidance

Endpoint Detection

Monitor for:

  • DLL loads from user-writeable directories
  • Executables running outside Program Files or Windows
  • Suspicious persistence mechanisms created shortly after execution

Enable alerts for:

  • DLL sideloading patterns
  • Registry autoruns pointing to non-standard paths
  • Legitimate executables behaving unusually

Network Detection

Flag:

  • New outbound connections from endpoints following file execution
  • Repetitive low-volume encrypted traffic
  • User systems communicating with newly registered domains

User Behavior Signals

  • Users receiving unsolicited LinkedIn attachments
  • Archive files opened directly from messaging platforms
  • Complaints of system slowness or unusual activity after opening documents

What Defenders Missed and Why

  • No exploit signatures triggered
  • No macros or script-based delivery
  • Legitimate binaries reduced antivirus suspicion
  • Execution occurred in user context, not system-level

This allowed the attack to bypass many traditional defenses.

Final Takeaway

This incident demonstrates how attackers no longer need advanced exploits to compromise modern systems. By combining professional social engineering with standard Windows behavior, they achieved silent, persistent access to high-value targets. The attack chain relied on trust, not technical weaknesses, making detection difficult without behavioral monitoring.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.