Cybersecurity researchers are calling attention to a sophisticated social engineering campaign that’s targeting supply chain-critical manufacturing companies with an in-memory malware dubbed MixShell.
The activity has been codenamed ZipLine by Check Point Research.
“Instead of sending unsolicited phishing emails, attackers initiate contact through a company’s public ‘Contact Us’ form, tricking employees into starting the conversation,” the company said in a statement shared with The Hacker News. “What follows are weeks of professional, credible exchanges, often sealed with fake NDAs, before delivering a weaponized ZIP file carrying MixShell, a stealthy in-memory malware.”
The attacks have cast a wide net, spanning multiple organizations across sectors and geographic locations, but with an emphasis on U.S.-based entities. Primary targets include companies in industrial manufacturing, such as machinery, metalwork, component production, and engineered systems, as well as those related to hardware and semiconductors, consumer goods, biotechnology, and pharmaceuticals.
This diverse, yet focused, targeting has raised the possibility that the threat actors behind the campaign are honing in on industry verticals critical to the supply chain. Other countries targeted by ZipLine include Singapore, Japan, and Switzerland.
The campaign’s provenance and motives are presently unclear, but Check Point said it identified overlapping digital certificates between an IP address used in the attacks and infrastructure previously identified by Zscaler and Proofpoint as employed in TransferLoader attacks undertaken by a threat cluster referred to as UNK_GreenSec.
ZipLine is another instance of how threat actors are increasingly banking on legitimate business workflows, such as approaching targets via a company’s Contact Us form on their website, thereby weaponizing trust in the process to sidestep any potential concerns.
While the approach of using website contact forms as a malware distribution vector is not wholly new, where ZipLine stands apart is in its avoidance of scare tactics and urgent language to trick recipients into taking unintended actions.
This patient, social engineering technique involves drawing victims into multi-week conversations, in some cases even instructing them to sign non-disclosure agreements (NDAs), before sending booby-trapped ZIP files. Recent social engineering waves have also capitalized on the artificial intelligence (AI) transformation trend, with the attackers “offering” to help the target entities implement new AI-centric initiatives to reduce costs and improve efficiency.
The attack chain is characterized by multi-stage payloads, in-memory execution, and DNS-based command-and-control (C2) channels, allowing the threat actor to stay under the radar.
Specifically, the ZIP archives come fitted with a Windows shortcut (LNK) that triggers a PowerShell loader, which then paves the way for the custom in-memory MixShell implant that uses DNS tunneling and HTTP as a fallback C2 mechanism to support remote command execution, file operations, reverse proxying, stealth persistence, and deeper network infiltration.
MixShell also comes in a PowerShell variant that incorporates advanced anti-debugging and sandbox evasion techniques, uses scheduled tasks for persistence, and drops the reverse proxy shell and file download capabilities.
The malicious ZIP files are hosted on a sub-domain of herokuapp[.]com, a legitimate Platform-as-a-Service (PaaS) providing compute and storage infrastructure for hosting web applications — once again illustrating the threat actor’s abuse of legitimate services to blend in with normal enterprise network activity.
The LNK file responsible for initiating the execution chain also displays a lure document present in the ZIP file so as not to arouse the victim’s suspicion. That said, Check Point noted that not all ZIP files served from the Heroku domain are malicious, suggesting customized delivery of malware in real-time based on certain criteria.
“In many cases, the attacker uses domains that match the names of LLCs registered U.S.-based companies, and in some cases, may have previously belonged to legitimate businesses,” Check Point said. “The attacker maintains similar template websites to all those companies, which hint at a well-planned and streamlined campaign on a large scale.”
The campaign poses severe risks to companies, as it can lead to theft of intellectual property and ransomware attacks, business email compromise, and account takeovers resulting in financial fraud, and potential supply chain disruptions with cascading impacts.
“The ZipLine campaign is a wake-up call for every business that believes phishing is just about suspicious links in emails,” Sergey Shykevich, threat intelligence group manager at Check Point Research, said.
“Attackers are innovating faster than ever – blending human psychology, trusted communication channels, and timely AI-themed lures. To stay safe, organizations must adopt prevention-first, AI-driven defenses and build a culture of vigilance that treats every inbound interaction as a potential threat.”
