ZipLine attack uses 'Contact Us' forms, White House butler pic to invade sensitive industries
(2025/08/26)
- Reference: 1756237399
- News link: https://www.theregister.co.uk/2025/08/26/zipline_phishing_campaign/
- Source link:
Cybercriminals are targeting critical US manufacturers and supply-chain companies, looking to steal sensitive IP and other data while deploying ransomware. Their attack involves a novel twist on phishing — and a photo of White House butlers.
Instead of emailing a malicious link in an unsolicited email, the miscreants initiate contact through the organization's public Contact Us form, tricking the victim into starting the conversation and allowing the attackers to bypass email filters, according to Check Point Research, which uncovered the phishing campaign and dubbed it ZipLine.
The attackers followed up via email with a series questions stretched over weeks and a meeting request before finally delivering a ZIP archive that ultimately deploys MixShell, a custom, in-memory implant.
[1]
"Many dozens" of organizations were targeted in the still-ongoing campaign that dates back to the beginning of May, Sergey Shykevich, threat intelligence group manager at Check Point Research, told The Register .
[2]
[3]
While the threat-intel team hasn't attributed ZipLine to a particular crew, "this appears to be a highly sophisticated cybercrime operation, capable of acting at scale while simultaneously executing highly targeted, precise attacks within a single campaign — something that is quite unique," Shykevich added.
And here's where the White House butlers fit in. Several of the domains used to initiate email communications match the names of US-based companies and some previously belonged to legitimate businesses. All of these were originally registered between 2015 and 2019, years before the ZipLine campaign began. Using these old domains with long-standing DNS records and clean reputations helped the attackers bypass security filters and gain victims' trust.
[4]
Upon closer inspection, Check Point researchers determined that the websites hosted on these domains were completely phony, and all shared the same content and layouts, with the "About Us" pages appearing on all of these displaying the same image that purports to be company founders. In reality, it's [5]this photo of White House butlers.
Industrial manufacturing orgs hit hardest
Check Point detailed the ZipLine phishing campaign in [6]research published on Tuesday, and said 80 percent of the targets are US-based, with additional victims in APAC and Europe.
Industrial manufacturing (46 percent) was the sector hit hardest, followed by hardware and semiconductors (18 percent), and consumer goods and services (14 percent). Biotech and pharmaceuticals (5 percent), energy and utilities (5 percent), media and entertainment (4 percent), construction and engineering (4 percent), and aerospace and defense (4 percent) rounded out the targeted industries.
According to Shykevich, the number of victims remains unknown.
In all of the phishes that Check Point observed, the attackers used Heroku, a legitimate cloud-based service that provides compute and storage infrastructure, to host and deliver the malicious ZIP archive.
[7]
The ZIP archive in the attacks Check Point analyzed contains three files: Legitimate PDF and DOCX files used as lures, typically disguised as a non-disclosure agreement (NDA) for the employee to sign, plus a malicious LNK file responsible for initiating the execution chain.
The LNK file executes a PowerShell script entirely in memory and ultimately deploys MixShell, which uses DNS TXT tunneling with HTTP fallback for command-and-control (C2) communications.
After establishing C2 with the attacker-controlled server, it remotely executes command and file operations, and creates reverse-proxy tunnels for deeper network access, allowing the attackers to snoop around internal networks while blending in with legitimate network activity.
It also maintains stealthy, persistent control of infected systems, allowing the criminals to conduct all types of post-exploitation activities including data theft, ransomware extortion, financial fraud through account takeovers or business email compromise, and supply chain disruption.
As the security shop was finalizing this report, it spotted a new wave of ZipLine phishing emails using AI transformation as the lure, stating that the victim-company's execs wanted the recipient to complete an "AI Impact Assessment."
"At this stage, the payload used in this AI-themed variant has not yet been observed," the report notes. "However, based on the attacker's continued use of previously established infrastructure, we assess with high confidence that it is likely to follow a similar delivery model as seen in earlier stages of the ZipLine campaign — potentially involving staged delivery, a weaponized ZIP archive, and in-memory execution of a backdoor such as MixShell."
[8]'Impersonation as a service' the next big thing in cybercrime
[9]That WhatsApp from an Israeli infosec expert could be a Iranian phish
[10]Fake CAPTCHA tests trick users into running malware
[11]Oh, great.Three notorious cybercrime gangs appear to be collaborating
"The ZipLine campaign is a wake-up call for every business that believes phishing is just about suspicious links in emails," Shykevich said. "Attackers are innovating faster than ever — blending human psychology, trusted communication channels, and timely AI-themed lures."
Plus, for network defenders, it's a good reminder that even seemingly benign channels like Contact Us forms can be exploited by miscreants looking for ways to gain initial access to corporate environments. ®
Get our [12]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK4ue9EybkErEIMKXX5w4AAAAQo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK4ue9EybkErEIMKXX5w4AAAAQo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK4ue9EybkErEIMKXX5w4AAAAQo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK4ue9EybkErEIMKXX5w4AAAAQo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.washingtonian.com/2014/06/26/meet-the-white-house-butlers-boss/
[6] https://research.checkpoint.com/2025/zipline-phishing-campaign/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK4ue9EybkErEIMKXX5w4AAAAQo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/08/21/impersonation_as_a_service/
[9] https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/
[10] https://www.theregister.com/2025/08/22/clickfix_report/
[11] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[12] https://whitepapers.theregister.com/
Instead of emailing a malicious link in an unsolicited email, the miscreants initiate contact through the organization's public Contact Us form, tricking the victim into starting the conversation and allowing the attackers to bypass email filters, according to Check Point Research, which uncovered the phishing campaign and dubbed it ZipLine.
The attackers followed up via email with a series questions stretched over weeks and a meeting request before finally delivering a ZIP archive that ultimately deploys MixShell, a custom, in-memory implant.
[1]
"Many dozens" of organizations were targeted in the still-ongoing campaign that dates back to the beginning of May, Sergey Shykevich, threat intelligence group manager at Check Point Research, told The Register .
[2]
[3]
While the threat-intel team hasn't attributed ZipLine to a particular crew, "this appears to be a highly sophisticated cybercrime operation, capable of acting at scale while simultaneously executing highly targeted, precise attacks within a single campaign — something that is quite unique," Shykevich added.
And here's where the White House butlers fit in. Several of the domains used to initiate email communications match the names of US-based companies and some previously belonged to legitimate businesses. All of these were originally registered between 2015 and 2019, years before the ZipLine campaign began. Using these old domains with long-standing DNS records and clean reputations helped the attackers bypass security filters and gain victims' trust.
[4]
Upon closer inspection, Check Point researchers determined that the websites hosted on these domains were completely phony, and all shared the same content and layouts, with the "About Us" pages appearing on all of these displaying the same image that purports to be company founders. In reality, it's [5]this photo of White House butlers.
Industrial manufacturing orgs hit hardest
Check Point detailed the ZipLine phishing campaign in [6]research published on Tuesday, and said 80 percent of the targets are US-based, with additional victims in APAC and Europe.
Industrial manufacturing (46 percent) was the sector hit hardest, followed by hardware and semiconductors (18 percent), and consumer goods and services (14 percent). Biotech and pharmaceuticals (5 percent), energy and utilities (5 percent), media and entertainment (4 percent), construction and engineering (4 percent), and aerospace and defense (4 percent) rounded out the targeted industries.
According to Shykevich, the number of victims remains unknown.
In all of the phishes that Check Point observed, the attackers used Heroku, a legitimate cloud-based service that provides compute and storage infrastructure, to host and deliver the malicious ZIP archive.
[7]
The ZIP archive in the attacks Check Point analyzed contains three files: Legitimate PDF and DOCX files used as lures, typically disguised as a non-disclosure agreement (NDA) for the employee to sign, plus a malicious LNK file responsible for initiating the execution chain.
The LNK file executes a PowerShell script entirely in memory and ultimately deploys MixShell, which uses DNS TXT tunneling with HTTP fallback for command-and-control (C2) communications.
After establishing C2 with the attacker-controlled server, it remotely executes command and file operations, and creates reverse-proxy tunnels for deeper network access, allowing the attackers to snoop around internal networks while blending in with legitimate network activity.
It also maintains stealthy, persistent control of infected systems, allowing the criminals to conduct all types of post-exploitation activities including data theft, ransomware extortion, financial fraud through account takeovers or business email compromise, and supply chain disruption.
As the security shop was finalizing this report, it spotted a new wave of ZipLine phishing emails using AI transformation as the lure, stating that the victim-company's execs wanted the recipient to complete an "AI Impact Assessment."
"At this stage, the payload used in this AI-themed variant has not yet been observed," the report notes. "However, based on the attacker's continued use of previously established infrastructure, we assess with high confidence that it is likely to follow a similar delivery model as seen in earlier stages of the ZipLine campaign — potentially involving staged delivery, a weaponized ZIP archive, and in-memory execution of a backdoor such as MixShell."
[8]'Impersonation as a service' the next big thing in cybercrime
[9]That WhatsApp from an Israeli infosec expert could be a Iranian phish
[10]Fake CAPTCHA tests trick users into running malware
[11]Oh, great.Three notorious cybercrime gangs appear to be collaborating
"The ZipLine campaign is a wake-up call for every business that believes phishing is just about suspicious links in emails," Shykevich said. "Attackers are innovating faster than ever — blending human psychology, trusted communication channels, and timely AI-themed lures."
Plus, for network defenders, it's a good reminder that even seemingly benign channels like Contact Us forms can be exploited by miscreants looking for ways to gain initial access to corporate environments. ®
Get our [12]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK4ue9EybkErEIMKXX5w4AAAAQo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK4ue9EybkErEIMKXX5w4AAAAQo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK4ue9EybkErEIMKXX5w4AAAAQo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK4ue9EybkErEIMKXX5w4AAAAQo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.washingtonian.com/2014/06/26/meet-the-white-house-butlers-boss/
[6] https://research.checkpoint.com/2025/zipline-phishing-campaign/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK4ue9EybkErEIMKXX5w4AAAAQo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/08/21/impersonation_as_a_service/
[9] https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/
[10] https://www.theregister.com/2025/08/22/clickfix_report/
[11] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[12] https://whitepapers.theregister.com/
IGotOut
But if someone has been mailing a company for months, going back and forwards and the says we wish to do business, were going to send over some confidential files and we'll send the password later. Do you not open it? Or do you only send highly confidential documents unencrypted so the other party doesn't have to unlock them?
My last company had over 500 people that dealt with these sort of enquiries day in day , each sales person may be dealing with multiple potential new clients each week.
Do you refuse to open ANY files?
Or do you right click, scan the file, seems ok then open it?
There's your small world, then the bigger real world.
Once again, the problem is humans. It doesn't matter how many tricky emails get through to me, I'm not going to bite. I don't "trust" things just because they come through my contact forms (whitelisted, local) v.s. sneaking through my spam filters.
Sure, you have meeting details in a password protected zip file... that's legit ( /sarcasm )
Fix your employees.