A financially motivated phishing campaign has been targeting supply chain-critical manufacturing companies across the globe. Dubbed “ZipLine” by Check Point Research, the campaign uses a custom in-memory malware known as MixShell.
Unlike typical phishing attacks, the threat actors behind ZipLine initiate contact through companies’ public “Contact Us” forms, engaging victims in weeks of professional-sounding communication. The attackers often use fake non-disclosure agreements (NDAs) before sending a malicious ZIP file that delivers MixShell.
The campaign primarily targets US-based industrial manufacturing firms, including those in machinery, semiconductors, biotechnology, and pharmaceuticals. Other affected countries include Singapore, Japan, and Switzerland.
Once opened, the ZIP file executes a PowerShell script via a Windows shortcut (LNK), installing the MixShell implant. The malware operates entirely in memory, evades detection, and communicates with its controllers using DNS and HTTP protocols.
Researchers found that attackers use legitimate platforms like Heroku PaaS to host malicious files and even mimic real US-based companies through fake websites. The campaign avoids fear tactics and instead relies on patient, convincing dialogue to lure victims.
While the origins and threat actors behind the campaign remain unknown, infrastructure analysis revealed an IP address (172.210.58[.]69) sharing SSL/TLS certificates with others linked to domains previously tied to the TransferLoader campaign. This infrastructure has been associated with the cybercriminal group “UNK_GreenSec,” suggesting a possible connection to financially driven threat actors reusing or sharing resources within the same cybercrime ecosystem.