A Run Key is an entry in the Windows Registry that causes programs to load automatically every time the operating system starts. Attackers exploit this function to allow malware to run persistently.
Appearing harmless on the outside, but extremely dangerous at its core: Cybercriminals are currently using LinkedIn messages to target executives and key personnel with professional phishing campaigns. Their goal: the undetected infection with remote access Trojans (RATs) — highly sophisticated espionage tools that grant complete control over compromised systems. According to a recent analysis by ReliaQuest, published by The Hacker News, attackers use the so-called DLL sideloading technique in combination with legitimate open-source tools to achieve this.
For CEOs, CIOs, CISOs, and CSOs, this means that the threat has long since moved beyond traditional email and is now infiltrating corporate IT systems via unmonitored social media channels. Particularly insidious is the fact that attackers disguise themselves with seemingly confidential PDF files or assessment materials from supposed job interviews.
In this editorial, we analyze the specific cyber risks behind this approach, explain the economic crime objectives, and clarify why technical sophistication is only part of the problem. Crucially, companies must respond strategically and functionally – and ProSec can support them as a partner with genuine depth.
The current campaign uses personalized LinkedIn messages to lure potential targets with a sophisticated social engineering approach. The message typically suggests a professional exchange – such as a collaboration, an interview, or simply a potential job offer. The target audience consists of individuals with high influence or interesting network positions.
When the victim opens the enclosed "assessment folder," a sophisticated infection process begins:
This attack method has already been used in several documented campaigns, for example in the distribution of the "LOTUSLITE" Backdoor or the PDFSIDER Malware.
What sounds like technical expertise has a clear objective: targeted, economically motivated espionage. It's not about quantity – but quality. The victims are not random. They are carefully selected based on their position within their organization. Remote Access Trojans (RATs) can be used to:
With this form of full access in the background, espionage remains undetected for weeks or months. Most importantly, after initial access, it shifts to other systems, endpoints, or cloud applications. This covert lateral movement becomes the real threat.
Current campaigns show that various sectors are affected – from financial service providers and manufacturing companies to technology corporations. Particularly insidious is the fact that entry via LinkedIn messages allows attackers minimal risk of damage. Company monitoring on these platforms? Generally non-existent.
Many companies invest in email gateways, firewalls, and VPNs – but their executives' social media accounts remain largely unprotected. Security strategies are traditional: email and endpoints, yes; LinkedIn and X (formerly Twitter), no.
It's long been clear that platforms like LinkedIn are a valuable research resource for threat actor groups. Methodically building a seemingly reputable account with professional references and industry jargon requires no special expertise – just patience. The costs for attackers are minimal, the potential return enormous.
Particularly alarming: North Korean APT groups have already successfully used LinkedIn in past campaigns to orchestrate targeted malware campaigns. Prominent cases like CryptoCore and Contagious Interview illustrate that RAT-based espionage is not just a theory – but a daily practice in the field of industrial espionage.
“But we have endpoint protection, we implement DLP, we train our employees…” – Uncertainty often arises when security is mistakenly confused with rigid technology stacks. However:
The malicious code is therefore difficult to detect, and traditional signature recognition is largely useless. Instead, a holistic view is needed: people, processes, technology – and a strategic understanding that new communication channels also create new risks.
The Python code used in this campaign is a publicly available penetration testing wrapper – actually intended for conducting authorized tests. The fact that such tools are "dual-use capable" is nothing new. However, many executives underestimate the speed at which legitimate tools can be adapted for criminal purposes.
A practical example: The payload used in the campaign utilizes standardized methods for registering run keys in the Windows operating system. These very techniques are from the MITRE ATT&CK Matrix documented for years.
However, simply knowing these techniques is not enough – concrete detection rules, penetration tests (red teaming) and a deep understanding of complex attacker chains are needed.
At ProSec, we have been supporting companies in combating economic crime and cyber threats for years. Our expertise lies particularly in detecting and defending against targeted espionage activities that occur via underestimated entry points such as social media.
What sets us apart:
The good news: For those who take action, the risk is manageable. For those who wait, a single social media contact can cause lasting damage.
A RAT is malware that allows attackers to remotely access and control a compromised system – including keyboard input, file movements, and camera activations.
In this scenario, an application uses an external DLL – however, a manipulated DLL is loaded, usually unnoticed. This allows attackers to execute malicious code through seemingly legitimate programs.
In this process, malicious code is loaded and executed directly in the computer's RAM – without being stored on the hard drive beforehand. This makes the activity difficult to trace and almost invisible to traditional antivirus solutions.
This is a publicly available knowledge base of real-world attack techniques, published by MITRE Corporation. It helps companies classify and assess complex threats.
A Run Key is an entry in the Windows Registry that causes programs to load automatically every time the operating system starts. Attackers exploit this function to allow malware to run persistently.
