Cybersecurity researchers have warned of a growing phishing campaign on LinkedIn that targets senior business executives and IT administrators, using the platform’s professional setting to deliver malware and steal login details.
Threat analysts at ReliaQuest, a US-based cybersecurity firm, disclosed that attackers are using private LinkedIn messages to send phishing links designed to infect victims’ computers with a Remote Access Trojan (RAT).
The campaign, which ReliaQuest described as “particularly concerning,” focuses on high-value individuals, including company executives and system administrators.
According to ReliaQuest, the attackers begin by sending industry-related messages that appear relevant to the recipient’s role. Once trust is established, the victim is sent a link that downloads a malicious WinRAR self-extracting archive. When opened, the archive installs a legitimate open-source PDF reader alongside a malicious dynamic link library (DLL) file that is deliberately named to resemble a normal system file.
The malicious DLL exploits a technique known as DLL sideloading, allowing it to run unnoticed within the same folder as the legitimate application. Researchers said this approach makes detection more difficult for security software.
After initial compromise, the attackers use an open-source penetration testing tool to maintain access to the victim’s system. This gives them the ability to extract data, escalate privileges, and move across internal company networks.
“Social media platforms, especially those frequently accessed on corporate devices, provide attackers with direct access to high-value targets,” ReliaQuest said in a blog post. “Many organisations still overlook these platforms in their security strategies.”
In a related development, BleepingComputer reported on January 13, 2026, that LinkedIn users have also been targeted through public comment scams. In these cases, fake accounts post replies under users’ LinkedIn posts, claiming the user has violated platform rules and that their account has been temporarily restricted.
The comments, which include LinkedIn logos and official-sounding language, direct users to click a link to resolve the issue. Victims who follow the link are taken to a convincing imitation of a LinkedIn login page, hosted on a non-LinkedIn web address, where their credentials are harvested.
Security analysts say the campaigns are effective because they exploit LinkedIn’s reputation as a professional and trustworthy platform. Unlike email phishing, social-media-based attacks often fall outside traditional corporate security monitoring.
ReliaQuest advised organisations to expand cybersecurity training to cover social media phishing, and to treat unexpected links or files on LinkedIn with the same caution applied to email. The firm also recommended auditing the use of personal social media accounts on corporate devices and restricting access where it is not required for work.
“This campaign serves as a reminder that phishing is not limited to email,” ReliaQuest said. “Organisations must treat social media platforms as part of their attack surface.”
