ZipLine: New Campaign Triggers Victims to Call Hackers
Researchers at Check Point Research have uncovered a new targeted campaign, dubbed ZipLine, which leverages the malicious tool MixShell against industrial and high-tech companies. The hallmark of this operation lies in its unorthodox delivery method: instead of relying on traditional phishing emails, attackers initiate contact through the “Contact Us” forms on victim websites. They then maintain weeks-long correspondence, carefully cultivating the illusion of a legitimate business partnership. In some cases, fabricated non-disclosure agreements are exchanged before the final stage—when employees are eventually sent a ZIP archive containing the payload.
Inside the archive resides a Windows shortcut that executes a PowerShell script. This script loads MixShell directly into memory, leaving no trace on disk, and communicates with its command-and-control server via DNS tunneling and HTTP traffic. Once deployed, MixShell enables remote operators to execute arbitrary commands, transfer files, establish reverse proxies, and secure persistence within the victim’s environment. Certain variants incorporate anti-debugging techniques, sandbox evasion mechanisms, Windows Task Scheduler persistence, and the ability to covertly download additional modules.
The malware is propagated through subdomains hosted on herokuapp[.]com, blending seamlessly with legitimate network traffic. Each archive also contains a decoy document to avoid arousing suspicion. Check Point researchers observed that not all files delivered from these domains are malicious, suggesting dynamic file distribution tailored to individual victims. Further investigation revealed that attackers often register domains under the guise of American LLCs or repurpose dormant businesses, while the associated websites share a uniform template—indicating a well-resourced and methodically organized operation.
The campaign has already affected organizations across the United States, Singapore, Japan, and Switzerland. Its primary focus lies on industries central to the global supply chain, including manufacturing, mechanical engineering, metalworking, component production, and industrial systems. Additional targets span the semiconductor, consumer goods, biotechnology, and pharmaceutical sectors. According to Check Point, the infrastructure overlaps with activity previously tracked by Zscaler and Proofpoint in TransferLoader operations, tied to the UNK_GreenSec cluster.
The threat posed by ZipLine extends far beyond intellectual property theft. It carries the potential for ransomware deployment, corporate email compromise, fraudulent transactions, and disruption of supply chains. Notably, attackers craft their lures around topical themes—such as AI adoption and cost optimization—making the correspondence especially convincing for corporate employees.
Check Point emphasizes that ZipLine exemplifies a new wave of social engineering—eschewing urgency and fearmongering in favor of trust, patience, and professional decorum. By embedding themselves within legitimate business processes, adversaries are able to bypass conventional filters and exploit human trust at its most vulnerable points.
