Malicious ZipLine Email Scam Manipulates Individuals in Manufacturing and Essential Supply Chains Through Socially Engineered Tactics
In a recent report, Check Point Software has shed light on an advanced social engineering phishing campaign known as ZipLine. This campaign, which has not been publicly attributed to a specific threat actor, has been targeting U.S.-based entities in the manufacturing and supply chain sectors.
The ZipLine campaign, which began in early 2025, has been found to affect organizations of all sizes, from Enterprise-level companies to Small and Medium Businesses (SMBs). The phishing emails are positioned as internal AI Impact Assessments, supposedly requested by leadership to evaluate efficiency and cost savings.
The emails are meticulously crafted, with attackers investing days or weeks in credible, professional conversations, often requesting that the victim sign a non-disclosure agreement (NDA). The malicious ZIP archive contained within these emails contains both benign documents and a malicious LNK file.
Although no malware was directly recovered in the sample set, the infrastructure reuse suggests a likely repeat of the staged ZIP delivery model and MixShell in-memory execution. The payload, known as MixShell, is in-memory malware that uses DNS tunneling and HTTP fallback to maintain connectivity and execute attacker commands.
The domains involved in the ZipLine campaign were first registered between 2015 and 2019, years before the campaign began. This indicates that the group behind the campaign may have been preparing for a long time, waiting for the right opportunity to strike.
The Q2 2025 Ransomware Report by Check Point Software highlights a fragmenting threat landscape, with successful attacks resulting in stolen intellectual property, ransomware extortion, financial fraud, and significant disruptions to critical supply chains. Newer actors such as Hunters International are abandoning file encryption in favor of stealthier, data-only extortion.
Established groups like Qilin and DragonForce are expanding their operations with AI-powered tools and aggressive affiliate recruitment. This evolution of ransomware is causing concern among security experts, with Check Point Software recently releasing new data showing that ransomware is evolving rather than disappearing.
In addition to creating fake company websites that mimic legitimate U.S.-registered LLCs, the attackers exploit legitimate-looking business interactions to deliver a custom malware implant stealthily. A new wave of phishing emails associated with the ZipLine campaign was observed, centered around an AI transformation pretext.
The majority of the targeted companies are in industrial manufacturing, including machinery, metalwork, component production, and engineered systems. The attacker explicitly states that the company's leadership requested the recipient's personal input, implying that their opinion will influence upcoming decisions.
Check Point Research has detailed ZipLine, an advanced social engineering phishing campaign that poses a significant threat to U.S. manufacturing and supply chain companies. It is crucial for organizations to remain vigilant and implement robust security measures to protect against such threats.
