MixShell Malware Campaign Targets Industrial Sector with Stealthy In-Memory Attacks

The emerging ZipLine campaign, tracked by Check Point Research, is redefining the landscape of social engineering attacks against critical manufacturing and supply chain organizations in the United States.

Unlike conventional phishing, ZipLine begins with threat actors submitting inquiries via corporate “Contact Us” web forms, creating a workflow where the victim unknowingly initiates subsequent email exchanges.

This novel approach dramatically lowers suspicion and significantly improves initial attack efficacy, allowing adversaries to embed themselves within trusted business dialogues for weeks before deploying malware payloads.

Sophisticated Delivery and Social Engineering

Once rapport is established, attackers introduce plausible business motives, frequently leveraging contemporary themes such as “AI transformation” initiatives or internal impact assessments.

After extensive back-and-forth, the adversary delivers a ZIP archive hosted on trusted infrastructure like Heroku. This archive typically contains legitimate lures (PDF/DOCX files) alongside a malicious LNK (shortcut) file.

The LNK file triggers a multi-stage PowerShell execution chain that searches for a specific marker string within the ZIP, extracts an embedded script, and executes it in memory to evade endpoint detection.

The script disables AMSI, Microsoft’s built-in anti-malware scanning interface, and establishes persistence using COM TypeLib registry hijacking.

This technique ties the payload to CLSID {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}, often invoked by Internet Explorer components. Using this method ensures automatic reactivation on system restarts and during regular Windows Explorer operations, maintaining long-term persistence with minimal disk traces.

MixShell: Stealthy In-Memory Operations and DNS Tunneling

Central to the campaign is MixShell, a custom in-memory implant loaded directly by the PowerShell script using reflection and .NET dynamic invocation. MixShell conducts its command-and-control operations predominantly via DNS TXT records, with HTTP fallback if DNS queries fail.

This C2 scheme uses uniquely crafted subdomains with XOR-encrypted, hex-encoded data wrapped in predefined markers. Responses are reassembled and decrypted inside the implant, minimizing C2 traffic visibility and maximizing evasiveness.

MixShell supports a broad spectrum of attacker commands: file operations, reverse proxying, interactive command execution (via pipes), and remote cleanup.

The reverse proxy capabilities enable attackers to pivot further into internal networks, blending malicious traffic with legitimate operational flows. To limit analysis, newer variants of MixShell employ custom ROR4 hashing for Windows API resolution and enhanced XOR-encrypted configuration blocks.

Infrastructure and Target Profile

Infrastructure analysis reveals that attackers acquire aged domains of former LLCs with clean reputations, hosting convincing websites to establish legitimacy.

These domains often resolve through infrastructure associated with DNS tunneling-based C2 servers. The victim profile spans enterprise and SMBs in manufacturing, biotech, electronics, and energy, emphasizing the campaign’s breadth and adaptability.

ZipLine demonstrates the critical need for defenders to monitor inbound communication channels and adopt multi-layered detection strategies.

Solutions like Check Point Harmony Email & Collaboration use behavioral context analysis, AI-based phishing detection, and threat emulation to block these advanced, multi-stage attacks before they reach supply chain-critical organizations.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post MixShell Malware Campaign Targets Industrial Sector with Stealthy In-Memory Attacks appeared first on Cyber Security News.