New ZipLine Campaign Attacks Critical Manufacturing Companies to Deploy In-memory Malware MixShell

In recent weeks, a sophisticated phishing operation known as the ZipLine campaign has targeted U.S.-based manufacturing firms, leveraging supply-chain criticality and legitimate-seeming business communications to deploy an advanced in-memory implant dubbed MixShell.

This threat actor reverses traditional phishing workflows by initiating contact through corporate “Contact Us” web forms, prompting victims to reach out first.

Once dialogue is established, attackers pose as potential partners and engage the target in protracted email correspondence, often spanning two weeks, before delivering a weaponized ZIP archive hosted on a trusted Platform-as-a-Service domain.

The ZIP archive conceals a malicious .lnk file and embedded PowerShell script, which obfuscates its true purpose by including harmless PDF and DOCX lure files alongside the payload.

Upon execution, the .lnk file triggers a loader that scans common directories for the archive, extracts a marker-delimited PowerShell script, and injects it directly into memory, bypassing AMSI checks by forcing AmsiUtils.amsiInitFailed = $true.

Picus Security analysts identified this memory-resident approach as a key factor in MixShell’s stealth, enabling rapid, fileless execution without touching disk.

MixShell’s custom shellcode is unwrapped in memory using reflection and the System.Reflection.Emit API, dynamically resolving Windows API functions via a custom ROR4-based hashing algorithm.

The implant’s configuration, stored immediately after the code section in an XOR-encrypted, hex-encoded block, provides DNS TXT tunnel parameters for command and control (C2).

These parameters include prepend and append markers, an XOR key, and domain information, all of which facilitate covert data exchange over DNS queries.

If DNS fails after six attempts, the implant shifts to HTTP fallback, maintaining the same encryption and framing format to blend malicious traffic with legitimate web requests.

Beyond initial execution, MixShell establishes persistence by hijacking a COM object’s TypeLib registry entry.

The PowerShell script writes a malicious XML scriptlet named Udate_Srv.sct to the ProgramData directory and points the CLSID {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}—associated with Internet Explorer’s Web Browser control—to this file.

On every system restart or when Explorer.exe triggers the hijacked COM object, the scriptlet launches cmd[.]exe /K set X=1&{shortcut}, re-running the payload without further user interaction.

Infection Mechanism Deep Dive

The infection chain of ZipLine is a masterclass in social engineering and technical evasion.

Attackers first submit a form-based inquiry—often with an “AI Impact Assessment” pretext—to the target’s website. Once the victim responds, the attackers request an NDA and provide a link to a ZIP file on a legitimate Herokuapp subdomain.

Within the archive, the PowerShell script locates the embedded payload marker xFIQCV, extracts the shellcode blob, and uses in-memory methods to allocate executable pages via VirtualAlloc and invoke the payload directly.

MixShell’s ROR4 hash routine (def api_hash and def ror4) iterates over uppercase-converted API names, generating identifiers to resolve function pointers at runtime.

This dynamic resolution avoids static imports, rendering common signature-based detections ineffective.

By maintaining all malicious actions in volatile memory, MixShell leaves only minimal forensic artifacts, challenging incident responders to detect and remediate infected hosts before data exfiltration or lateral movement can occur.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.