The Reversed Phishing Attack: New Campaign Triggers Victims to Call Hackers • Daily CyberSecurity

Check Point Research (CPR) has exposed a new phishing campaign dubbed ZipLine, which flips the traditional social engineering playbook by manipulating victims into initiating contact with the attacker. The campaign is primarily targeting supply chain–critical manufacturing companies, using convincing business communications to deploy a custom in-memory implant called MixShell.

In most phishing schemes, the attacker sends the first email. ZipLine reverses this pattern. According to the report, “the attacker initiates the communication via targeted company’s public ‘Contact Us’ form, making the overture appear legitimate. The typical phishing flow is reversed as the victim then initiates the email correspondence.”

This subtle shift adds a veneer of authenticity. Once the victim replies to the form submission, attackers maintain a credible, business-oriented conversation for weeks before sending a malicious ZIP file. One common lure was framed as a Non-Disclosure Agreement (NDA), while a newer wave exploited interest in AI transformation, presented as an “AI Impact Assessment” initiative.

Phishing campaign, ZipLine — ZipLine infection chain | Image: Check Point

The attackers carefully selected domains that appeared credible, often matching registered U.S. company names. Check Point noted that “many of these domains may have previously belonged to legitimate businesses… all the sites share identical content, layout, and structure, strongly suggesting they were cloned from a single template.”

For payload delivery, they abused Herokuapp.com, a legitimate Platform-as-a-Service, to host malicious archives. By hiding behind trusted platforms and aged domains, the attackers bypassed reputation filters and lowered suspicion.

The malicious ZIP archives contained both legitimate-looking documents and a hidden LNK file. This shortcut triggered a PowerShell loader that extracted and executed a stealthy implant named MixShell.

Check Point describes MixShell as “a stealthy shellcode payload using DNS TXT tunneling with HTTP fallback for the C2. MixShell supports file operations, reverse proxying, command execution, and pipe-based interactive sessions.”

Notably, MixShell communicates primarily via DNS TXT queries, falling back to HTTP if necessary. This covert channel allows attackers to blend malicious traffic with normal DNS activity, making detection challenging.

The malware employs sophisticated techniques to stay hidden and persistent:

TypeLib hijacking for persistence, ensuring execution on system restart.
AMSI bypass to evade Microsoft’s Antimalware Scan Interface.
Reflection-based shellcode execution to avoid leaving forensic traces on disk.

A PowerShell-based variant of MixShell was also observed, incorporating anti-debugging and sandbox evasion, such as scanning for tools like Wireshark, IDA Pro, or VMware indicators.

Check Point found dozens of victims across industries, with a clear emphasis on U.S.-based manufacturing, aerospace, energy, consumer electronics, biotech, and semiconductors. While large enterprises were targeted for high-value opportunities, small and medium-sized businesses (SMBs) were also attacked, seen as softer entry points with fewer defenses.

The report emphasizes: “More than 80% of the identified targets in this campaign are based in the United States, underscoring a clear geographic concentration.”

While attribution remains uncertain, overlapping infrastructure artifacts link ZipLine to a cybercriminal cluster tracked as “UNK_GreenSec.” This suggests financial motivation, but the extensive targeting of supply chain–critical industries hints at broader goals, possibly including espionage.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply