LinkedIn Phishing Scam Spreads ConnectWise RAT to Victims

Posted on March 6, 2025
Cybersecurity experts are facing a new wave of phishing attacks that exploit the trusted LinkedIn brand to distribute malware. A recent analysis by Cofense reveals that attackers are using spoofed LinkedIn InMail notifications to deliver the ConnectWise Remote Access Trojan (RAT), deceiving recipients into unknowingly installing malicious software.

The phishing emails are carefully crafted to resemble LinkedIn notifications. They feature an outdated LinkedIn template from before 2020, a tactic likely meant to resonate with users familiar with older designs. The emails also impersonate a sales director requesting a quote, including a real profile picture to enhance credibility. The supposed company, “DONGJIN Weidmüller Korea Ind.,” blends names from legitimate firms, but does not actually exist.

Despite its fraudulent nature, the email evades security protocols. The Sender Policy Framework (SPF) check results in a softfail, indicating an unauthorized IP address, while the lack of a proper DomainKeys Identified Mail (DKIM) signature—normally present in genuine LinkedIn communications—further exposes its deception. Additionally, the misconfigured DMARC policy allows the email to bypass Microsoft Defender for Endpoint, reaching users’ inboxes instead of being blocked outright.

The attack unfolds when recipients click the “Read More” or “Reply To” buttons, which silently trigger the download of the ConnectWise RAT installer. Instead of using a direct “download” command, the campaign mimics a legitimate business inquiry, lowering the defenses of cautious users who are used to LinkedIn’s messaging interface.

This attack highlights the growing sophistication of phishing campaigns and how cybercriminals manipulate trust in well-known brands to bypass security measures. If successful, such attacks can grant adversaries remote access to sensitive systems, leading to data breaches, operational disruptions, and financial losses. Organizations must reinforce email authentication protocols, train employees to recognize phishing attempts, and adopt advanced security measures to mitigate these evolving threats.

Source: eSecurity Planet

The European Cyber Intelligence Foundation is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.