Malware campaign distributed via LinkedIn detected

In January 2026, a new phishing and malware campaign spread through direct messages on LinkedIn was detected. Instead of using traditional email, attackers took advantage of this platform to contact professionals and executives directly, simulating legitimate communications such as job offers or document exchanges. This campaign was initially documented by security analysts and reported in specialized media outlets such as The Hacker News, Cybernews, and other cybersecurity portals between January 20 and 22.

The attack involves sending links to download compressed files (WinRAR SFX) which, when opened, extract components that appear legitimate. Using a technique known as DLL sideloading, the legitimate program first loads a malicious DLL, allowing malicious code to be executed without raising suspicion from security systems. This operation facilitates the installation of a remote access Trojan (RAT) that establishes persistence in the system and communicates with external control servers. The campaign was mainly aimed at high-value targets, leveraging LinkedIn's credibility to bypass standard detection filters.

In response, cybersecurity firms have recommended caution with links and downloads received through this channel. The incident is currently under alert and monitoring, with no confirmation of widespread impact. Reports agree that this campaign shows an evolution in phishing vectors, extending beyond email to social media platforms.