LinkedIn Phishing Campaign Uses Open-Source Pen Testing Tool to Target Business Executives

The North Korea-linked threat actor Kimsuky has been linked to a new campaign distributing a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics. The attack involved a ZIP file containing a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. The article also highlights the advanced obfuscation techniques used by HttpTroy to evade detection and the broader campaign by North Korean state-sponsored groups targeting various sectors. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection. Additionally, Kimsuky is targeting organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S. The group is using QR codes in phishing campaigns, a technique known as 'quishing,' to redirect victims to malicious locations disguised as questionnaires, secure drives, or fake login pages. The FBI has warned about Kimsuky's use of malicious QR codes in spear-phishing campaigns targeting entities in the U.S., highlighting the group's history of subverting email authentication protocols and exploiting improperly configured DMARC record policies. Cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads, likely with the intent to deploy a remote access trojan (RAT). The activity delivers "weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script." The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and deceiving them into downloading a malicious WinRAR self-extracting archive (SFX). Once launched, the archive extracts four different components: a legitimate open-source PDF reader application, a malicious DLL that's sideloaded by the PDF reader, a portable executable (PE) of the Python interpreter, and a RAR file that likely serves as a decoy. The infection chain gets activated when the PDF reader application is run, causing the rogue DLL to be sideloaded. The use of DLL side-loading has become an increasingly common technique adopted by threat actors to evade detection and conceal signs of malicious activity by taking advantage of legitimate processes. Over the past week, at least three documented campaigns have leveraged DLL side-loading to deliver malware families tracked as LOTUSLITE and PDFSIDER, along with other commodity trojans and information stealers. In the campaign observed by ReliaQuest, the sideloaded DLL is used to drop the Python interpreter onto the system and create a Windows Registry Run key that makes sure that the Python interpreter is automatically executed upon every login. The interpreter's primary responsibility is to execute a Base64-encoded open-source shellcode that's directly executed in memory to avoid leaving forensic artifacts on disk. The final payload attempts to communicate with an external server, granting the attackers persistent remote access to the compromised host and exfiltrating data of interest. The abuse of legitimate open-source tools, coupled with the use of phishing messages sent on social media platforms, shows that phishing attacks are not confined to emails alone and that alternative delivery methods can exploit security gaps to increase the odds of success and break into corporate environments. ReliaQuest told The Hacker News that the campaign appears to be broad and opportunistic, with activity spanning various sectors and regions. "That said, because this activity plays out in direct messages, and social media platforms are typically less monitored than email, it's difficult to quantify the full scale," it added. "This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems," the cybersecurity company said. "Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data." This is not the first time LinkedIn has been misused for targeted attacks. In recent years, multiple North Korean threat actors, including those linked to the CryptoCore and Contagious Interview campaigns, have singled out victims by contacting them on LinkedIn under the pretext of a job opportunity and convincing them to run a malicious project as part of a supposed assessment or code review. In March 2025, Cofense also detailed a LinkedIn-themed phishing campaign that employs lures related to LinkedIn InMail notifications to get recipients to click on a "Read More" or "Reply To" button and download the remote desktop software developed by ConnectWise for gaining complete control over victim hosts. "Social media platforms commonly used by businesses represent a gap in most organizations' security posture," ReliaQuest said. "Unlike email, where organizations tend to have security monitoring tools, social media private messages lack visibility and security controls, making them an attractive delivery channel for phishing campaigns." "Organizations must recognize social media as a critical attack surface for initial access and extend their defenses beyond email-centric controls."