A slow-moving, socially engineered malware campaign is targeting manufacturers with in-memory implants delivered through website contact forms.
Cybersecurity researchers at Check Point have uncovered a sophisticated malware campaign known as ‘ZipLine,’ which delivers an in-memory malware called MixShell to U.S.-based manufacturers. Instead of relying on traditional phishing emails, the attackers initiate conversations through corporate ‘Contact Us’ forms, posing as potential business partners. These exchanges often span weeks, involve fake NDAs, and culminate in delivering a weaponized ZIP file.
The attackers’ targets are primarily industrial manufacturers involved in machinery, semiconductors, hardware, and biotech sectors critical to the supply chain. Victims have also been identified in Japan, Singapore, and Switzerland.
MixShell is delivered through a ZIP archive containing a Windows shortcut (LNK) file. Once clicked, it triggers a PowerShell loader that installs the malware entirely in-memory, avoiding detection. The implant uses DNS tunneling and HTTP for command-and-control (C2), enabling file operations, remote execution, stealth persistence, and reverse proxy capabilities.
A PowerShell variant of MixShell includes sandbox evasion and persistence mechanisms. ZIP files are hosted on subdomains of Heroku’s platform-as-a-service infrastructure, exploiting legitimate services to blend into typical network behavior. Some ZIPs also display decoy documents to avoid suspicion.
Check Point noted the attackers frequently use domains that mimic the names of US-registered LLCs. These domains are often recycled from previously legitimate businesses, adding credibility and allowing them to bypass security filters more easily. Many of these domains have been active since as early as 2015.
Sergey Shykevich of Check Point called the campaign a wake-up call, saying it demonstrates how threat actors are adapting their tactics beyond email phishing. “Attackers are innovating faster than ever – blending human psychology, trusted communication channels, and timely AI-themed lures.”
The researchers said that in some cases, attackers even presented offers to help companies implement AI cost-saving initiatives, further exploiting timely themes to gain trust.
In-memory malware runs without writing files to disk, allowing it to bypass many traditional antivirus and endpoint detection systems that scan file systems.
By acquiring domains with clean reputations and long-standing DNS records, attackers reduce the risk of being flagged by security filters and increase trust from potential victims.
They often hold proprietary designs, partner data, and operational intelligence that can be used for espionage, sabotage, or sold to competitors or nation-state actors.
DNS tunneling hides command-and-control traffic within DNS queries, which often go unnoticed by firewalls and monitoring systems, making it an effective stealth communication method.
Defense strategies include screening inbound form submissions, validating business credentials, isolating and scanning all ZIP files, and training staff to verify unexpected communication even when it appears professional.