NEWS Hackers Have Switched to Slow Cooking: They Groom Victims for Weeks to Send a ZIP File

ExcalibuR

Legend
LEGEND
PREMIUM
MEMBER
Joined
Jan 17, 2025
Messages
4,030
Reaction score
7,916
Deposit
11,800$
Hackers Have Switched to Slow Cooking: They Groom Victims for Weeks to Send a ZIP File
1756336660914.png
Even industrial giants become defenseless against patient deception.​

Researchers from Check Point Research have reported on a new targeted campaign, ZipLine, which uses the MixShell malware against industrial and high-tech companies. The main feature of the attack is that instead of the usual phishing emails, the threat actors initiate contact through the "Contact Us" form on the victim's website. They then engage in correspondence for weeks, creating the impression of a legitimate business partnership. Sometimes, fake non-disclosure agreements (NDAs) are added to the correspondence. Only after this lengthy grooming process are employees sent a ZIP archive containing the malware.

Inside the archive is a Windows shortcut that launches a PowerShell script. This script loads the MixShell system into memory, which leaves no files on the disk and communicates with the command-and-control (C2) server via DNS tunneling and HTTP. This method allows it to execute remote operator commands, transfer and download files, set up a reverse proxy, and establish persistence in the network. In some variants, MixShell is supplemented with anti-debugging techniques and sandbox evasion mechanisms, uses the Windows Task Scheduler to maintain access, and can stealthily download additional modules.

The malware is distributed through subdomains on the herokuapp[.]com service, which masks the activity as legitimate network traffic. The ZIP file also contains "bait"—a decoy document to avoid raising suspicion. The researchers noted that not all archives from the mentioned domain are malicious, indicating that files are dynamically served based on the specific victim. Additionally, the attackers register domains with names of American LLCs or use previously existing companies, and design the websites using a single template, pointing to the operation's scale and sophistication.

The attacks have affected companies in the USA, Singapore, Japan, and Switzerland. The primary targets are industrial manufacturing, machinery, metalworking, component production, and engineering systems. Furthermore, organizations in the semiconductor, consumer goods, biotechnology, and pharmaceutical sectors are also being targeted. This selection shows the attackers' aim to impact key links in the global supply chain. According to Check Point, the campaign's infrastructure overlaps with activity previously documented by Zscaler and Proofpoint in TransferLoader operations, linked to the UNK_GreenSec cluster.

The danger of ZipLine lies not only in the risk of intellectual property theft but also in the threat of ransomware deployment, corporate email compromise, fraudulent transactions, and supply chain disruptions. It is separately emphasized that the emails use current topics related to AI implementation and cost optimization, making the offers especially plausible for the targeted companies.

Check Point notes that this campaign demonstrates a new generation of social engineering—without intimidation or haste, but relying on trust and business processes. This tactic allows the attackers to bypass traditional filters and lowers employees' guard.
 
Top Bottom