Cybersecurity experts have uncovered a sophisticated social engineering campaign aimed at U.S. manufacturing companies critical to the supply chain. The operation, codenamed ZipLine by Check Point Research, leverages an in-memory malware strain called MixShell.

Unlike traditional phishing campaigns that rely on unsolicited emails, the attackers use a company’s “Contact Us” form as their entry point. From there, they establish weeks of professional, credible communication, often backed by fake non-disclosure agreements (NDAs), before ultimately sending a malicious ZIP archive carrying MixShell.

Targeting Key Industries

The campaign has impacted organizations across multiple sectors, but U.S.-based companies remain the primary focus. Targets include:

• Industrial machinery and engineered systems
• Metalworking and component manufacturing
• Hardware and semiconductor firms
• Consumer goods producers
• Biotechnology and pharmaceutical companies

Other nations such as Singapore, Japan, and Switzerland have also been identified as victims. Analysts suggest the campaign is deliberately focusing on industries vital to global supply chains.

Tactics, Techniques, and Infrastructure

The origins of the campaign remain uncertain. However, Check Point highlighted connections between the attackers’ infrastructure and previous TransferLoader operations tied to a group labeled UNK_GreenSec.

What sets ZipLine apart is the attackers’ ability to exploit legitimate business workflows. Instead of alarming or pressuring victims with urgent messages, they patiently build trust through extended conversations. Some exchanges even introduce AI-themed proposals, claiming to help organizations cut costs and boost efficiency before deploying malware.

The attack chain involves:

• Multi-stage payloads with in-memory execution
• DNS tunneling for command-and-control (C2), with HTTP as backup
• Use of ZIP archives containing a Windows LNK shortcut that launches a PowerShell loader
• Deployment of the custom MixShell implant, capable of remote command execution, file operations, reverse proxying, persistence, and deeper infiltration

A variant of MixShell is entirely PowerShell-based, featuring anti-debugging, sandbox evasion, scheduled tasks for persistence, and reverse proxy capabilities.

The malicious ZIP files are hosted on herokuapp[.]com, a legitimate PaaS provider, showing how attackers exploit trusted cloud services to disguise their activity. Interestingly, not every ZIP file on the domain is weaponized—pointing to real-time customization based on the target.

Large-Scale and Well-Planned

Check Point also observed attackers using domains mimicking registered LLC names in the U.S., sometimes repurposing domains that once belonged to legitimate companies. They often maintain cloned websites, further supporting the theory of a carefully orchestrated, scalable campaign.

Potential Business Impacts

The risks posed by ZipLine extend beyond malware infection. Organizations could face:

• Intellectual property theft
• Ransomware incidents
• Business email compromise and account takeovers
• Financial fraud
• Disruptions across critical supply chains

According to Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research:

“The ZipLine campaign is a reminder that phishing is no longer limited to suspicious links in emails. Attackers are innovating faster than ever—blending psychology, trusted communication channels, and timely AI-themed lures. Companies must prioritize AI-driven, prevention-first defenses and promote a culture where every inbound interaction is treated with caution.”

Source: https://thehackernews.com/2025/08/mixshell-malware-delivered-via-contact.html