Check Point Research discovered the ZipLine campaign, which leverages website contact forms to begin contact by posing as potential business partners. Attackers then conduct a carefully planned email exchange lasting about two weeks before sending a confidentiality document that contains MixShell malware. MixShell uses DNS tunneling to remotely influence endpoints while evading detection. Primary targets include U.S. manufacturing and sectors in Europe and Asia such as aerospace, energy, and biotech, increasing supply chain risk. Attackers also send follow-up messages framed as internal AI impact assessments. Organizations should treat contact forms and collaboration tools as attack vectors and expand multi-channel phishing training for procurement staff.
Suspicious emails remain effective, but the danger they pose is being combated from all sides. The same cannot be said for contact forms, a loophole that the ZipLine campaign exploits. Check Point Research discovered the campaign in question. Attackers pose as potential business partners of legitimate organizations. Instead of sending suspicious emails, they use contact forms to initially establish contact with targets.
This is followed by a carefully planned email conversation that takes about two weeks. Ultimately, criminals share a confidentiality document, which is common practice in many industries. However, this file contains MixShell malware that uses DNS tunneling to remotely influence endpoints without being detected. Tip: Healthcare sector hit hard by cyberattacks, phishing on the rise According to Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research, the campaign shows that patience and social engineering are still effective tools.
Collection
[
|
...
]