Threat Research: Open-Source Python Script Drives Social Media Phishing Campaign

ReliaQuest investigated a LinkedIn-based phishing campaign that used social-media private messages to deliver a WinRAR SFX archive containing a legitimate PDF reader, a malicious DLL for DLL sideloading, and a portable Python interpreter that executed a Base64-encoded open-source pen-testing script in-memory to likely deploy a remote access trojan (RAT). The report details the attack chain (delivery, execution, persistence, and C2), historical examples, detection challenges posed by social platforms and legitimate tooling, and prescribes mitigations including social-media-aware training, application control for Python, and rapid detection/response playbooks.