A sophisticated phishing campaign called ZipLine is targeting U.S. manufacturing companies, especially those in supply chain-critical sectors. The attackers initiate contact through company contact forms, leading to weeks-long email conversations before delivering malicious payloads. They use legitimate-looking business interactions and AI-related pretexts to build trust. The campaign employs a custom malware called MixShell, which uses DNS TXT tunneling for command and control. The attackers utilize domains matching registered U.S. companies and maintain similar template websites across multiple domains. The campaign primarily targets U.S.-based organizations in industrial manufacturing, hardware, semiconductors, and other sectors, affecting both large enterprises and smaller businesses. Author: AlienVault
Related Tags:
T1071.004
T1553.005
ZIPLINE
Switzerland
T1568
Singapore
Japan
dns tunneling
T1572
Associated Indicators:
F44107475D3869253F393DBCB862293BF58624C6E8E3F106102CF6043D68B0AF
36B065F19F1AC2642C041002BC3E28326BEC0AA08D288CA8A2D5C0D7A82B56E6
E69D8B96B106816CB732190BC6F8C2693AECB6056B8F245E2C15841FCB48FF94
83B27E52C420B6132F8034E7A0FD9943B1F4AF3BDB06CDBB873C80360E1E5419
F531BEC8AD2D6FDDEF89E652818908509B7075834A083729CC84EEF16C6957D2
D39E177261CE9A354B4712F820ADA3EE8CD84A277F173ECFBD1BF6B100DDB713
71DEC9789FEF835975A209F6BC1A736C4F591E5EEAB20BDFF63809553085B192
2C7BC0EBBBFA282FC3ED3598348D361914FECFEA027712F47C4F6CFCC705690F
4DCFF9A3A71633D89A887539E5D7A3DD6CC239761E9A42F64F42C5C4209D2829