Zipline Campaign: A Sophisticated Phishing Attack Targeting US Companies
Summary:
Check Point Research identified a sophisticated social-engineering campaign, dubbed ZipLine, targeting U.S.-based manufacturing and supply chain–critical companies. Instead of sending phishing emails directly, the attackers initiate contact through corporate “Contact Us” forms, prompting the victim to respond first, an inversion of the normal phishing flow that enhances legitimacy. The adversaries maintain weeks of credible email exchanges, often under pretexts such as Non-Disclosure Agreements or “AI transformation” initiatives, before delivering weaponized ZIP archives hosted on trusted services like Heroku.
These ZIPs may contain a malicious LNK file that executes embedded PowerShell, establishing persistence through COM hijacking and ultimately deploying MixShell, a custom in-memory implant that uses DNS tunneling with HTTP fallback for command-and-control. MixShell supports file operations, reverse proxying, and interactive command execution, with advanced evasion and persistence techniques. Infrastructure analysis revealed attacker-registered or repurposed aged U.S. LLC domains with cloned websites, further lending legitimacy.
While attribution is not definitive, overlaps suggest possible links to the financially motivated actor cluster UNK_GreenSec. Victimology indicates focus on U.S. manufacturing, aerospace, energy, consumer electronics, biotech, and semiconductor companies, underscoring the campaign’s interest in supply chain–critical and IP-rich organizations.
Security Officer Comments:
This campaign demonstrates how adversaries are evolving phishing tradecraft by exploiting business workflows instead of relying on mass email delivery. The reversal of the communication flow significantly reduces detection opportunities for security teams and increases trust from victims. The use of aged and legitimate-sounding domains combined with cloned websites suggests a deliberate, large-scale effort to bypass reputation-based defenses. MixShell’s DNS-based C2 and in-memory execution highlight continued adversary investment in stealth and adaptability, posing challenges for traditional endpoint and network defenses. The AI-themed phishing variation indicates an agile and opportunistic adversary, tailoring lures to align with current organizational trends.
Suggested Corrections:
https://research.checkpoint.com/2025/zipline-phishing-campaign/
Check Point Research identified a sophisticated social-engineering campaign, dubbed ZipLine, targeting U.S.-based manufacturing and supply chain–critical companies. Instead of sending phishing emails directly, the attackers initiate contact through corporate “Contact Us” forms, prompting the victim to respond first, an inversion of the normal phishing flow that enhances legitimacy. The adversaries maintain weeks of credible email exchanges, often under pretexts such as Non-Disclosure Agreements or “AI transformation” initiatives, before delivering weaponized ZIP archives hosted on trusted services like Heroku.
These ZIPs may contain a malicious LNK file that executes embedded PowerShell, establishing persistence through COM hijacking and ultimately deploying MixShell, a custom in-memory implant that uses DNS tunneling with HTTP fallback for command-and-control. MixShell supports file operations, reverse proxying, and interactive command execution, with advanced evasion and persistence techniques. Infrastructure analysis revealed attacker-registered or repurposed aged U.S. LLC domains with cloned websites, further lending legitimacy.
While attribution is not definitive, overlaps suggest possible links to the financially motivated actor cluster UNK_GreenSec. Victimology indicates focus on U.S. manufacturing, aerospace, energy, consumer electronics, biotech, and semiconductor companies, underscoring the campaign’s interest in supply chain–critical and IP-rich organizations.
Security Officer Comments:
This campaign demonstrates how adversaries are evolving phishing tradecraft by exploiting business workflows instead of relying on mass email delivery. The reversal of the communication flow significantly reduces detection opportunities for security teams and increases trust from victims. The use of aged and legitimate-sounding domains combined with cloned websites suggests a deliberate, large-scale effort to bypass reputation-based defenses. MixShell’s DNS-based C2 and in-memory execution highlight continued adversary investment in stealth and adaptability, posing challenges for traditional endpoint and network defenses. The AI-themed phishing variation indicates an agile and opportunistic adversary, tailoring lures to align with current organizational trends.
Suggested Corrections:
- Harden Web Form Ingress: Add CAPTCHA and validation checks on “Contact Us” forms and vet unsolicited business requests before engagement.
- Block Risky File Types:Restrict or closely monitor ZIP/LNK attachments and enforce script execution policies for PowerShell.
- Enhance EDR Coverage: Detect in-memory execution, COM hijacking, and persistence attempts through endpoint monitoring.
- Monitor DNS & Network Traffic: Flag suspicious DNS TXT queries and abnormal outbound connections that may indicate tunneling.
- Raise User Awareness: Train staff to recognize prolonged social-engineering approaches that precede malicious payloads.
https://research.checkpoint.com/2025/zipline-phishing-campaign/