ZipLine phishing campaign uses social engineering to target manufacturing, critical supply chains - Industrial Cyber

Attacks and Vulnerabilities Control device security Critical infrastructure Malware, Phishing & Ransomware Manufacturing News Reports ZipLine phishing campaign uses social engineering to target manufacturing, critical supply chains August 28, 2025 Check Point Research detailed ZipLine, an advanced social engineering phishing campaign that primarily targets U.S. manufacturing and supply chain–critical companies. The attackers exploit legitimate-looking business interactions to deliver a custom malware implant stealthily. Successful attacks can result in stolen intellectual property, ransomware extortion, financial fraud through account takeovers or business email compromise, and significant disruptions to critical supply chains. ZipLine demonstrates how patient social engineering can bypass defenses. Attackers invest days or weeks in credible, professional conversations, often requesting that the victim sign a non-disclosure agreement (NDA). They also create fake company websites that, in some cases, mimic legitimate U.S.-registered LLCs. Only after establishing this appearance of legitimacy do they deliver a weaponized ZIP file with an embedded PowerShell execution chain. Unlike typical phishing attacks, attackers reverse the usual flow by first contacting victims through a company’s public ‘Contact Us’ form, tricking them into initiating email correspondence. The attackers then engage in professional, multi-week email exchanges and often request NDAs before sending a malicious ZIP file. The payload, known as MixShell, is in-memory malware that uses DNS tunneling and HTTP fallback to maintain connectivity and execute attacker commands. A second wave of attacks exploits an AI transformation pretext, disguised as internal AI Impact Assessments.  “In many cases, the attacker uses domains that match the names of LLCs registered U.S.-based companies, and in some cases, may have previously belonged to legitimate businesses. The attacker maintains similar template websites to all those companies, which hint at a well-planned and streamlined campaign on a large scale,” the researchers said in a blog post. “The payload is delivered as a ZIP archive that includes a PowerShell script embedded within the archive’s binary data, positioned after a specific marker string. A loader PowerShell later extracts the script and executes it in memory.” They added that a custom in-memory implant called ‘MixShell’ is a stealthy shellcode payload using DNS TXT tunneling with HTTP fallback for the C2. MixShell supports file operations, reverse proxying, command execution, and pipe-based interactive sessions. The researchers also highlight that what stands out is that these domains were originally registered between 2015 and 2019, long before the ZipLine campaign began. “By acquiring abandoned or dormant domains with legitimate business histories, the attackers significantly increased their chances of bypassing security filters and gaining the trust of targeted organizations. These aged domains benefit from long-standing DNS records, clean reputations, and business-sounding identities, making them highly effective for social engineering.” The malicious ZIP archive contains both benign documents and a malicious LNK file. When triggered, it extracts a hidden PowerShell script embedded within the archive’s binary data. This script executes entirely in memory, ultimately deploying MixShell, a custom implant that uses DNS TXT tunneling with HTTP fallback for C2 communications; executes commands and file operations remotely; creates reverse proxy tunnels for deeper network access; and maintains stealthy, persistent control of infected systems. The researchers found that the ZipLine phishing campaign has targeted dozens of organizations spanning multiple sectors, company sizes, and geographies, with a clear emphasis on U.S.-based entities. “The majority of the targeted companies are in industrial manufacturing, including machinery, metalwork, component production, and engineered systems. Other affected industries include hardware & semiconductors, consumer goods & services, and biotech & pharmaceuticals. This distribution suggests that the attacker seeks entry points across wealthy operational and supply chain-critical industries instead of focusing on a specific vertical.” They added that the inclusion of consumer electronics, aerospace, and energy companies, together with more traditional industrial targets, indicates the actors may be pursuing organizations with valuable proprietary data, strong vendor networks, or exploitable infrastructure. “The campaign does not discriminate based solely on organizational size,” the researchers added. “While Enterprise-level companies make up the majority of identified targets, a significant portion of Small and Medium Businesses (SMBs) were also affected. Larger targets offer potential high-value opportunities, while smaller organizations present softer entry points with fewer security controls.” They added that the long-term engagement with the victim (multi-week conversations) suggests that the attacker is willing to invest time cultivating the relationship, regardless of company size, possibly tailoring their efforts based on perceived value or ease of compromise. “More than 80% of the identified targets in this campaign are based in the United States, underscoring a clear geographic concentration, while also companies in Singapore, Japan, and Switzerland were targeted. Overall, the engagement patterns observed were U.S-centric regarding infrastructure, communication style, and initial access points.” ZipLine’s focus on U.S. manufacturing and supply chain–critical industries raises potential serious concerns. For these companies, the stakes are high. Stolen intellectual property and ransomware extortion could halt production lines and result in data leaks. Financial fraud through stolen credentials, bank account takeovers, or business email compromise could cause significant monetary losses. Compromise of the supply chain could disrupt the production of critical components, creating ripple effects across multiple industries. Check Point identified that by weaponizing everyday communication channels and executing multi-stage phishing, the attackers show how social engineering remains one of the most effective ways to breach organizations. The domains used by the threat actors to initiate email communication appear to be carefully selected for credibility and legitimacy. Many of these domains match the names of LLCs registered in U.S.-based companies and, in some cases, may have previously belonged to legitimate businesses. However, a closer inspection of the websites hosted on these domains reveals that they are entirely fabricated. All the sites share identical content, layout, and structure, strongly suggesting they were cloned from a single template. Remarkably, the ‘About Us’ pages across all domains display the same photograph of the supposed company founders, a stock image that, upon investigation, is a photo of White House butlers. During the research, Check Point Research observed a second wave of ZipLine emails using an AI transformation pretext. The phishing emails were positioned as internal AI Impact Assessments, supposedly requested by leadership to evaluate efficiency and cost savings. Employees were asked to review a short questionnaire on how AI could affect their workflows. Although no malware was directly recovered in our sample set from these AI-themed emails, the infrastructure reuse suggests a likely repeat of the staged ZIP delivery model and MixShell in-memory execution. While finalizing this publication, the researchers observed a new wave of phishing emails associated with the ZipLine campaign, centered around an AI transformation pretext. “In this variation, the attacker claims to be working with the target’s organization to help implement AI-driven operational changes aimed at reducing costs and improving efficiency.” They added that the email is positioned as an internal initiative and framed as an ‘AI Impact Assessment,’ asking the recipient to review a short questionnaire about how artificial intelligence might affect their team’s workflows. To increase legitimacy and urgency, the attacker explicitly states that the company’s leadership requested the recipient’s personal input, implying that their opinion will influence upcoming decisions. At this stage, the payload used in this AI-themed variant has not yet been observed.  However, based on the attacker’s continued use of previously established infrastructure, we assess with high confidence that it is likely to follow a similar delivery model as seen in earlier stages of the ZipLine campaign, potentially involving staged delivery, a weaponized ZIP archive, and in-memory execution of a backdoor such as MixShell. Organizations should expand monitoring of inbound channels, treating ‘Contact Us’ forms, collaboration tools, and other seemingly benign entry points as potential vectors for attack. User awareness should be increased by educating employees, particularly those in procurement, partnerships, and supply chain management, on multi-channel social engineering, phishing lures, and the types of malicious files used in attacks.  Enhanced due diligence should be applied to new vendors or business contacts, with verification conducted through independent sources such as phone calls, LinkedIn, or known partners. Security tools should be capable of inspecting the contents of archive files to detect hidden threats. Finally, to guard against account takeovers and business email compromise, organizations should enforce multi-factor authentication and monitor for unusual login behavior. In conclusion, the Check Point report highlights ZipLine as a financially motivated phishing campaign that demonstrates the increasingly sophisticated tactics used by modern threat actors. “In a unique reversal of the typical phishing pipeline, the threat actors force the victims to make the initial contact. A business’s ‘Contact Us’ form submission enables them to seamlessly integrate into legitimate business workflows, thereby weaponizing trust, patience, and legitimate services to evade suspicion. By using multi-stage payloads, in-memory execution, and DNS-based C2 channels, the campaign achieves both stealth and adaptability across its infection chain.” Last week, Check Point Software released new data showing that ransomware is evolving rather than disappearing. Its Q2 2025 Ransomware Report highlights a fragmenting threat landscape: established groups like Qilin and DragonForce are expanding their operations with AI-powered tools and aggressive affiliate recruitment, while newer actors such as Hunters International are abandoning file encryption in favor of stealthier, data-only extortion. Overall, victim disclosures fell six percent compared to the 12-month average, yet activity from Qilin doubled, reflecting the group’s intensified pressure tactics. Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related Booz Allen warns AI‑driven cyberattacks outpace human-driven defenses across critical infrastructure Kai debuts agentic AI platform to eliminate manual security workflows, boost cyber resilience across critical infrastructure Food and Ag-ISAC finds 72 active threat actors behind persistent, sophisticated cyber attacks targeting food supply chains ARCON teams with DNV Cyber to strengthen privileged access management capabilities in the Nordics New York introduces cybersecurity rules, $2.5 million grant program to strengthen water infrastructure defenses Building ‘Incident Management for Industrial Control Systems’ to address gaps in OT cyber incident response GAO report highlights risks to CMMC rollout as nation-state attacks target defense contractors Why industrial cybersecurity must evolve as climate disruption and digitalization reshape critical infrastructure ISAC advisory highlights cyber and physical risks to critical infrastructure as Middle East tensions rise Suspected Iran-linked cyberattack hits medical technology giant Stryker amid Middle East tensions