A new and stealthy social engineering campaign, codenamed ZipLine, is targeting supply chain-critical manufacturing companies with a patient, long-term approach that subverts traditional cybersecurity defenses. Instead of relying on mass-scale, urgent phishing emails, the attackers initiate contact through a company’s public ‘Contact Us’ form, making the initial interaction appear legitimate. This clever tactic, identified by Check Point Research, involves weeks of professional and credible communication, sometimes even including fake non-disclosure agreements (NDAs), before a weaponized ZIP file is sent. This unique and drawn-out method of attack makes it particularly difficult to detect, as it bypasses automated spam filters and preys on human trust.
The ZipLine campaign has a wide reach but a specific focus on U.S.-based companies, with a heavy emphasis on industrial manufacturing, hardware, semiconductors, and even pharmaceuticals. The diverse yet concentrated targeting of these sectors suggests that the attackers are specifically zeroing in on industries that are vital to the global supply chain. By compromising these organizations, threat actors could potentially gain access to valuable intellectual property, disrupt manufacturing processes, or launch further attacks down the supply chain. This deliberate targeting of critical infrastructure highlights the campaign’s potential for widespread, cascading damage far beyond the initial victim.
At the heart of the campaign is MixShell, a custom, in-memory malware that is designed to stay hidden and avoid detection. Delivered within a weaponized ZIP file, the malware is executed through a Windows shortcut (LNK) file that triggers a PowerShell loader. This multi-stage process leads to the in-memory execution of MixShell, which uses DNS tunneling and HTTP for communication. The malware is capable of a range of malicious activities, including remote command execution, file operations, and deeper network infiltration, all while blending in with normal network traffic. This sophisticated technical approach, combined with the social engineering tactics, makes MixShell a formidable threat.
What makes the ZipLine campaign particularly effective is its abuse of legitimate services and workflows to appear credible. The attackers host the malicious ZIP files on subdomains of Heroku, a legitimate web hosting service. This allows the attackers to blend in with normal enterprise network activity and avoid suspicion. Furthermore, the LNK file within the ZIP archive displays a harmless lure document, further deceiving the victim into thinking the file is safe. The campaign’s patient, professional approach and use of legitimate infrastructure illustrate a significant evolution in threat actor tactics, moving away from easily identifiable scare tactics and urgent language toward a much more subtle and insidious form of deception.
The ZipLine campaign serves as a crucial reminder that modern cybersecurity threats are evolving rapidly. Organizations can no longer assume that all phishing attempts will come from suspicious email links. This campaign, with its patient social engineering, highlights the urgent need for a shift in defensive strategies. Security expert Sergey Shykevich notes that organizations must adopt a “prevention-first, AI-driven” approach and foster a culture of vigilance where every inbound interaction is treated as a potential threat. By understanding and addressing the human element of security, companies can better protect themselves from sophisticated and weaponized trust attacks like ZipLine.
Reference:
