Bad actors are patient. They know trust takes time. With ZipLine, they have turned patience into a weapon.
Check Point Research has uncovered a campaign aimed at U.S. manufacturers and supply-chain critical industries.
The trick is simple, yet unusual. The attacker does not send the first email. Instead, they use the target’s own “Contact Us” form. The company responds, thinking it’s business as usual. That single reply begins a conversation that may last for weeks.
The dialogue is businesslike. Meetings are discussed. Non-disclosure agreements are drafted. The threat actor sounds like a partner, not a criminal. Then comes the ZIP file. Inside: a malicious chain that leads to a custom backdoor called MixShell.
The Long Con
Most phishing campaigns begin with a blast. One message, one link, one click. ZipLine is different. It is slower. Quieter. Each exchange builds credibility. By the time the malicious file arrives, suspicion is gone.
The attackers use domains that look real. Some match the names of registered U.S. companies, while some were once legitimate businesses, now abandoned and repurposed. Their websites share a single template, a stock photograph on the “About Us” page. The illusion is just good enough.
The Payload
The delivered archive carries a PowerShell implant. Buried in the binary, extracted in memory, it avoids leaving clear traces. Once activated, MixShell comes alive. It speaks through DNS queries, hiding commands in TXT records. If blocked, it falls back to HTTP.
The implant is versatile. It can move files, proxy traffic, run commands, and maintain a quiet channel back to its controller. Persistence is ensured through registry hijacking and clever abuse of Windows components.
Once inside, it is hard to dislodge.
Shifting Themes
Recently, the criminals added a new disguise: artificial intelligence. Emails framed as an “AI Impact Assessment” invite staff to give input on how AI might affect workflows. The message claims to come from leadership. It feels internal, urgent, and important.
The payload for this AI-themed lure has not yet been seen, but analysts expect the same staged approach: ZIP archive, PowerShell, MixShell.
Targets
The campaign is broad, but not random. Victims include large manufacturers, semiconductor firms, aerospace suppliers, and biotech companies. Smaller businesses are also drawn in, offering softer points of entry.
More than 80% of known victims are U.S.-based. The attackers’ patience extends across borders, with cases also found in Singapore, Japan, and Switzerland.
Why It Matters
ZipLine flips the phishing playbook. By forcing the victim to send the first email, the attackers dodge reputation filters and gain instant legitimacy. The campaign shows how trust, once thought a shield, can itself be exploited.
For defenders, the lesson is that inbound vectors do not always begin with inbound messages. Even a “Contact Us” form can open the door. Protection now requires more than scanning for malicious links. It demands watching the conversation itself, across time, for signs of manipulation.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.