MixShell Malware Targets U.S. Supply Chain via Contact Forms
⚠️ Cybersecurity researchers warn of a targeted social‑engineering campaign delivering an in‑memory implant called MixShell to supply‑chain manufacturers through corporate 'Contact Us' forms. The activity, tracked as ZipLine by Check Point, uses weeks of credible exchanges, fake NDAs and weaponized ZIPs containing LNK files that trigger PowerShell loaders. MixShell runs primarily in memory, uses DNS tunneling for C2 with HTTP fallback, and enables remote commands, file access, reverse proxying, persistence and lateral movement. Malicious archives are staged on abused Heroku subdomains, illustrating use of legitimate PaaS for tailored delivery.
