MixShell Malware Targets U.S. Manufacturers in ZipLine Attack

Cybersecurity researchers have reported a new campaign called ZipLine targeting key supply chain manufacturing companies with the MixShell malware. The campaign, mainly affecting U.S. entities as well as organizations in Singapore, Japan, and Switzerland, relies on social engineering and avoids common phishing methods by initiating contact through public “Contact Us” forms on company websites.

According to Check Point Research, attackers establish multi-week conversations that appear credible and may include fake non-disclosure agreements (NDAs). After building trust, they deliver a ZIP file containing MixShell, a stealthy malware that operates in the memory of infected computers and is not stored on disk, which helps avoid detection.

The targeted companies operate in sectors such as machinery, metalwork, hardware, semiconductors, consumer goods, biotechnology, and pharmaceuticals. Check Point has found connections between digital certificates used in this campaign and infrastructure previously linked to TransferLoader attacks by the group UNK_GreenSec. The attackers use trusted business workflows to make their approach seem legitimate, and the campaign differs from standard phishing by avoiding scare tactics and urgency.

Check Point stated, “ZipLine is another instance of how threat actors are increasingly banking on legitimate business workflows, such as approaching targets via a company’s Contact Us form on their website, thereby weaponizing trust in the process to sidestep any potential concerns.”

The campaign uses advanced tactics such as multi-stage delivery of malware, in-memory execution, and covert internet communication methods like DNS tunneling. The malicious files are often hosted on sub-domains of legitimate services such as Heroku, which provides computing infrastructure for web applications. These ZIP archives contain a Windows shortcut (LNK) that starts a PowerShell loader. This loader deploys the MixShell malware, enabling remote control, file operations, persistence on the system, and deeper network infiltration.

MixShell also comes in a variant with features to evade digital forensics and maintains its presence on infected systems through scheduled tasks. Not all files from the Heroku domains are harmful—malware delivery appears to be customized.

In many cases, the attackers use domains similar to those of legitimate, registered U.S. companies, building template websites to improve the campaign’s realism. According to Check Point, risks from the campaign include theft of intellectual property, ransomware, business email compromise, financial fraud, and broader supply chain disruptions.

Sergey Shykevich of Check Point Research emphasized, “Attackers are innovating faster than ever – blending human psychology, trusted communication channels, and timely AI-themed lures. To stay safe, organizations must adopt prevention-first, AI-driven defenses and build a culture of vigilance that treats every inbound interaction as a potential threat.”

For more details, see the full Check Point Research report.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Ethereum Hits New All-Time High as Stablecoin Growth Surges
• Bitcoin Flash Crash: $100 Billion Wiped From Crypto Market
• Blockchain Devs Slam Google BigQuery Over Surprise $15K Bills
• HOOK Android Trojan Adds Ransomware Overlay, Expands Threats
• Chainlink (LINK) Eyes $40 High After SBI Japan Partnership Boost