- ZipLine is one of the most advanced social engineering phishing campaigns seen by Check Point Research.
- Attackers reverse the usual phishing flow by starting contact through a company’s public “Contact Us” form, tricking victims into initiating email correspondence.
- They exchange professional, multi-week email conversations and often request NDAs before sending a malicious ZIP file.
- The payload, MixShell, is in‑memory malware that uses DNS tunneling and HTTP fallback to stay connected and execute attacker commands.
- A second wave of attacks uses an AI transformation pretext, disguised as internal AI Impact Assessments.
- Targets are mainly U.S. manufacturing and supply chain–critical companies, where consequences could include stolen intellectual property and ransomware extortion, financial fraud through account takeovers or business email compromise, and disruptions to critical supply chains.
- Check Point Harmony Email & Collaboration blocks such threats with AI-powered phishing prevention, behavioral analysis, threat emulation, and real-time URL inspection.
Flipping the phishing playbook
Check Point Research has identified ZipLine as one of the most advanced phishing campaigns of recent years. Instead of sending unsolicited phishing emails, the attackers initiate contact through a company’s “Contact Us” form. This reversal forces the victim to send the first email, making the exchange appear legitimate and bypassing reputation-based filters.
Gain a deeper understanding of the ZipLine campaign by reading Check Point Research’s full technical analysis.
Social engineering at scale
ZipLine demonstrates how patient social engineering can bypass defenses. Attackers invest days or weeks in credible, professional conversations, often requesting that the victim sign a Non-Disclosure Agreement (NDA). They also create fake company websites that in some cases mimic legitimate U.S.-registered LLCs. Only after establishing this appearance of legitimacy do they deliver a weaponized ZIP file with an embedded PowerShell execution chain.
From ZIP to MixShell
The malicious ZIP archive contains both benign documents and a malicious LNK file. When triggered, it extracts a hidden PowerShell script embedded within the archive’s binary data. This script executes entirely in memory, ultimately deploying MixShell, a custom implant that:
- Uses DNS TXT tunneling with HTTP fallback for C2 communications.
- Executes commands and file operations remotely.
- Creates reverse proxy tunnels for deeper network access.
- Maintains stealthy, persistent control of infected systems.
Riding the AI wave
During this research, Check Point Research observed a second wave of ZipLine emails using an AI transformation pretext. The phishing emails were positioned as internal AI Impact Assessments, supposedly requested by leadership to evaluate efficiency and cost savings. Employees were asked to review a short questionnaire on how AI could affect their workflows. Although no malware was directly recovered in our sample set from these AI-themed emails, the infrastructure reuse suggests a likely repeat of the staged ZIP delivery model and MixShell in-memory execution.
Why it matters
ZipLine’s focus on U.S. manufacturing and supply chain–critical industries raises potential serious concerns. For these companies, the stakes are high:
- Stolen intellectual property and ransomware extortion could halt production lines and lead to data leaks.
- Financial fraud through stolen credentials, bank account takeovers, or business email compromise could cause major monetary losses.
- Supply chain compromise could disrupt production of critical components with ripple effects across industries.
By weaponizing everyday communication channels and executing multi-stage phishing, the attackers show how social engineering remains one of the most effective ways to breach organizations.
Recommendations for defenders
- Expand monitoring of inbound channels: Treat “Contact Us” forms, collaboration tools, and other seemingly benign inbound vectors as potential entry points.
- Increase users’ awareness: Educate employees, especially in procurement, partnerships, and supply chain management on multi-channel social engineering, phishing lures and types of malicious files.
- Introduce enhanced due diligence for new vendors or business contacts: Implement verification through independent sources (phone, LinkedIn, or known partners).
- Harden attachment and link inspection: Ensure security tools can analyze archive files content.
- Guard against account takeover and BEC: Enforce MFA and monitor for unusual login behavior.
How Check Point protects
Check Point Harmony Email & Collaboration delivers AI-driven, multi-layered defense against phishing and social engineering attacks like ZipLine. Key protections include:
- AI and NLP-powered phishing prevention that analyzes context and communication patterns beyond single-message inspection.
- Threat emulation to block malicious attachments, including weaponized ZIP archives.
- Real-time URL protection to stop phishing links at click-time.
- Behavioral analysis to prevent account takeover and business email compromise.
- Data loss prevention (DLP) to safeguard sensitive IP and supply chain data.
With Harmony Email & Collaboration, organizations can protect employees, data, and operations against evolving phishing techniques.
Bottom line: ZipLine is a clear example of phishing innovation, combining web form abuse, long-term email exchanges, and timely AI-themed lures. The risks are severe for U.S. manufacturing and supply chain companies. Traditional detection is not enough, but with Harmony Email & Collaboration, organizations can stay ahead of advanced social engineering attacks.
Gain a deeper understanding of the ZipLine campaign by reading Check Point Research’s full technical analysis.