Follow on X RSS Feed
Malware

Fileless MixShell Malware Delivered Through Web Forms and Cloud Services

Cybersec Sentinel

13 min read
Fileless MixShell Malware Delivered Through Web Forms and Cloud Services

Threat Group: Unknown actor with possible overlaps to the UNK_GreenSec cybercriminal cluster
Threat Type: Social engineering phishing campaign delivering a fileless, in memory backdoor
Exploited Vulnerabilities: No software vulnerabilities exploited. The threat abuses web "Contact Us" forms, trusted cloud storage and user trust to bypass email gateways
Malware Used: MixShell – a custom shellcode/PowerShell backdoor that runs from memory, resolves Windows API functions via a ROR4 hashing algorithm, stores its configuration encrypted and communicates using DNS TXT tunnelling with HTTP fallback
Threat Score: 🔴 High (8.2/10) – Stealthy, persistent and designed for supply chain access operations with covert communications
Last Threat Observation: 27th August 2025

Overview

In late 2023 through 2025, researchers observed a sophisticated phishing campaign codenamed ZipLine that delivers MixShell, an in‑memory backdoor with DNS‑based command and control.
Rather than blasting out spam, the attackers initiate contact through a target company’s “Contact Us” web form, causing the victim to respond and thereby reversing the usual phishing flowmalware.news. They maintain credible business‑oriented email conversations for up to two weeks, often asking victims to sign non‑disclosure agreements or participate in AI‑transformation assessmentsmalware.news. When trust is built, the threat actor sends a ZIP archive hosted on a legitimate PaaS platform such as Herokumalware.news. Within the ZIP is a benign PDF or Word document, a .LNK shortcut and a hidden PowerShell script embedded after a marker stringmalware.news. The LNK launches a PowerShell loader that disables Microsoft’s Antimalware Scan Interface (AMSI) and extracts the concealed script, which in turn decrypts and executes the MixShell shellcode entirely in memory.

MixShell is a sophisticated backdoor that illustrates the evolution of fileless malware. It dynamically resolves required Windows APIs using a ROR4 hashing algorithmmalware.news, decrypts its configuration block using XOR keysmalware.news and communicates primarily through DNS TXT record queries, with a fallback to HTTP if DNS failsmalware.news. Its command set supports file operations, reverse‑proxy tunnelling, command execution and interactive pipe sessionsmalware.news. A separate PowerShell variant adds anti‑debugging and virtualization checks along with scheduled‑task persistencemalware.news.

This advisory provides a comprehensive breakdown of the ZipLine campaign, an in‑depth technical analysis of the MixShell backdoor, indicators of compromise, and actionable mitigation strategies. It follows the style of Cybersec Sentinel advisories and draws from trusted sources such as Check Point Research, Malware News and Palo Alto Networks.

Key Details

Delivery Method

  1. Initial access via Contact Us forms – Attackers submit legitimate‑looking business enquiries through a company’s public contact form. Victims naturally reply via email, reversing the typical attacker‑initiated interactionmalware.news. The exchange may involve meeting requests, non‑disclosure agreements or AI transformation questionnairesmalware.news.
  2. Multi‑week social engineering – Conversations span one to two weeks, building rapport and bypassing reputation‑based email filteringmalware.news.
  3. Weaponized ZIP archive – After trust is established, the actor sends a ZIP archive from a herokuapp.com subdomainmalware.news. The archive contains legitimate documents and a malicious .LNK file which triggers a PowerShell loadermalware.news.
  4. PowerShell loader – The LNK executes a loader that locates a marker string in the ZIP, extracts a hidden PowerShell script and disables AMSI before reflection‑loading the script and decrypting the embedded shellcode. Earlier variants persisted via TypeLib hijacking; later versions use scheduled tasks.
  5. MixShell deployment – The decrypted shellcode runs in memory. It installs persistence, generates a machine‑specific mutex and beacons to the C2 server through DNS queriesmalware.news.

Targeting & Victimology

  • Industry focus – Supply‑chain‑critical sectors are primary targets. More than 80 % of victims are U.S. organisations in manufacturing, semiconductor, biotechnology and energy industries, with additional victims in Singapore, Japan and Switzerlandmalware.news. Both large enterprises and small/medium businesses are affectedmalware.news.
  • Geographic distribution – The infrastructure and communication style are U.S.‑centricmalware.news; however, the campaign uses domain names that mimic legitimate U.S. limited‑liability companies (e.g., lvprocurement[.]com, humcrm[.]com)malware.news. Attack infrastructure leverages aged domains registered between 2015 and 2019 to avoid suspicionmalware.news.
  • Attribution – Infrastructure overlaps with IP addresses previously associated with the TransferLoader campaign, which Proofpoint attributes to UNK_GreenSecmalware.news. However, attribution remains uncertain.

MixShell Functionality

  • Fileless in‑memory execution – MixShell executes entirely in RAM, leaving no files on disk and disappearing after reboot unless persistence is established. It abuses legitimate Windows utilities and memory operations, exemplifying fileless malwareportnox.com.
  • API hashing & configuration encryption – The backdoor resolves Windows API functions via a custom ROR4 hashing algorithm, obfuscating names and hampering signature‑based detectionmalware.news. Its configuration, stored immediately after the shellcode, is hex‑encoded and XOR‑encryptedmalware.news.
  • DNS‑first command‑and‑control – C2 communication uses DNS TXT queries. Subdomains are constructed by combining a prepend value, XOR‑encoded communications key and an append valuemalware.news. Responses are decrypted using the same XOR key and chunked due to the 60‑character subdomain limitmalware.news. After six failed DNS queries, MixShell falls back to HTTP with identical encryptionmalware.news.
  • Supported commands – MixShell’s command set includes acknowledgements, self‑removal (Abort), sending lure file names, creating pipes, executing shell commands, reading/writing pipes, downloading files, establishing reverse‑proxy tunnels and closing socketsmalware.news. The reverse‑proxy handshake involves two sockets and key exchanges to relay traffic and pivot into internal networksmalware.news.
  • Obfuscation and evasion – The PowerShell variant performs anti‑debugging and sandbox checks by scanning for analysis tools (windbg, IDA, Wireshark), checking named pipes (\cuckoo, \vbox, etc.), verifying physical memory and CPU cores, and terminating if virtualization is detectedmalware.news.
  • Persistence – Early shellcode versions achieved persistence via TypeLib hijacking (registering a malicious type library to execute during COM object loading). Later variants schedule tasks using native Windows Task Schedulermalware.news.

Why It Matters

  • Supply‑chain risk – Manufacturing and semiconductor sectors supply critical components. Compromise could lead to intellectual‑property theft, production disruption or downstream attacks against customers.
  • Stealth & detection challenges – MixShell runs in memory and uses legitimate tools, making it difficult to detect using file‑based antivirus. DNS tunnelling disguises command traffic within legitimate name resolution streams; long, random subdomains and TXT records may not trigger alertspaloaltonetworks.com.
  • Lateral movement & data exfiltration – The reverse‑proxy function enables attackers to pivot into internal networks, exfiltrate data and maintain persistence while blending into normal DNS and HTTP trafficmalware.news.
  • Potential for prolonged dwell time – Social engineering campaigns with multi‑week engagement and fallback communication channels allow attackers to remain undetected for extended periods, increasing the risk of follow‑on attacks such as ransomware or business email compromise.

Attack Vectors

  1. Form submission – The attacker submits a message through a target company’s “Contact Us” form. Typical messages discuss potential partnerships, procurement, or AI transformation initiativesmalware.news.
  2. Email conversation – The victim replies, initiating a direct email thread. The attacker continues a professional conversation for one to two weeks, sometimes requesting an NDA or questionnairemalware.news.
  3. Malicious ZIP delivery – A link to a ZIP archive hosted on Heroku or another legitimate platform is sent. The actor claims it contains the requested documentsmalware.news.
  4. ZIP archive contents – The archive includes benign documents and a .LNK file disguised as a PDF or folder. Hidden within the ZIP data is a base64‑encoded, XOR‑encrypted PowerShell script positioned after a marker stringmalware.news.
  5. Shortcut execution – When the victim clicks the LNK, Windows executes it, launching PowerShell with arguments that locate the marker in the ZIP, extract the script, disable AMSI and load the embedded shellcode via reflection.
  6. MixShell installation – The shellcode decrypts its configuration, creates a unique mutex and, depending on the variant, establishes persistence via TypeLib hijacking or scheduled tasksmalware.news.
  7. Command and control – The malware beacons to the attacker’s domains using DNS TXT queries. Data is XOR‑encrypted and chunked across multiple queriesmalware.news. After six failures, the implant falls back to HTTP on ports specified in the configurationmalware.news.
  8. Post‑exploitation – Using its command set, the attacker can download additional payloads, execute arbitrary commands, establish a reverse‑proxy for lateral movement and exfiltrate datamalware.news.

Technical Analysis of MixShell

API Resolution & Configuration

When MixShell executes, it first resolves Windows API functions without storing their names in plaintext. Instead, it uses a ROR4 hashing routine: each API name is converted to uppercase, rotated right by 13 bits and added to a 32‑bit accumulatormalware.news. This technique hides imported functions from static analysis and detection. After resolving APIs, the implant parses a configuration block located immediately after its code section. Each parameter is hex‑encoded and XOR‑encrypted with a key stored at the end of the configurationmalware.news. Values include the list of DNS domains, XOR keys for communication, lure file name, HTTP domain, mutex generation parameters, installation date, product ID string and other metadatamalware.news.

Mutex & Fingerprinting

To ensure only one instance runs per machine, MixShell creates a mutex named after a computed hex string. The string is derived from the product ID, install date and serial number (via hex(100 + ProductId + InstallDate + SerialNumber))malware.news. This also serves as a unique C2 identifier, allowing the attacker to link commands to a specific host.

DNS‑Based C2

The implant prefers DNS TXT tunnelling for command and control. The subdomain structure is <prepend><hex(comm_key[0] ^ base64_str[0])><append>.<id_hex>.<time_hex>.<domain>malware.news. Each outbound message is split across queries due to the 60‑character limit on subdomainsmalware.news. Responses are processed by stripping the prepend/append markers, converting the remaining data from text to hexadecimal bytes and decrypting it with the XOR keymalware.news. If six consecutive DNS queries fail, MixShell falls back to HTTP using the same encryption schememalware.news.

DNS tunnelling is attractive to attackers because DNS is a ubiquitous and often‑trusted protocol. According to Palo Alto Networks, attackers can use DNS queries to map internal networks and find high‑value assetspaloaltonetworks.com. The technique can be leveraged to deliver staged malware, maintain command and control channels and exfiltrate data, all while blending into normal DNS trafficpaloaltonetworks.com. Monitoring solely domain names is insufficient because data may be hidden in TXT records or long subdomains, which often go uninspectedpaloaltonetworks.com.

Supported Commands & Reverse Proxy

The implant’s command set allows the attacker to control the infected host:

Command IDDescription
0ack – Adjusts the retry count of DNS queries.
1Abort – Terminates the implant and removes its program directorymalware.news.
2Send lure name – Encrypts and sends the lure file name to the C2malware.news.
3Create Pipe – Sets up an inter‑process communication (IPC) channel.
4Run Command – Executes arbitrary shell commands through the pipemalware.news.
5Read From Pipe – Sends command output back to the C2malware.news.
6Cleanup Pipes – Removes IPC pipesmalware.news.
7Write Files – Downloads a file from a URL and saves it to the TEMP directorymalware.news.
8Reverse Proxy – Opens sockets to establish a bidirectional relay allowing lateral movementmalware.news.
9Close Socket – Terminates the proxy sessionmalware.news.

The reverse‑proxy handshake is especially powerful. MixShell opens one connection to the C2, receives a four‑byte key and sends an initial message. After a confirmation, it opens a second socket, exchanges another key and sends a large block of zero bytes. The C2 then instructs MixShell to connect to a new IP/port or domain. Traffic is relayed until a termination flag is sentmalware.news. This design enables inbound pivoting into internal networks while blending with legitimate traffic.

PowerShell Variant Enhancements

A PowerShell rewrite of MixShell retains the same encryption routine and infection flow but adds several evasion techniques: scanning for debugging tools (e.g., Windbg, IDA, Wireshark), checking for virtualization by reading BIOS strings, verifying physical memory and CPU core counts, and terminating when analysis conditions are detectedmalware.news. Persistence is achieved via scheduled tasks rather than TypeLib hijacking, and the victim identification uses a CRC32 hash of the Windows Product IDmalware.news. These improvements indicate active development and adaptation by the threat actor.

Indicators of Compromise

File Hashes (SHA‑256)

Researchers identified numerous MixShell‑related payloads in the wild. The following hashes are representative; defenders should monitor for these and any future variants:

  • e69d8b96b106816cb732190bc6f8c2693aecb6056b8f245e2c15841fcb48ff94
  • d39e177261ce9a354b4712f820ada3ee8cd84a277f173ecfbd1bf6b100ddb713
  • f531bec8ad2d6fddef89e652818908509b7075834a083729cc84eef16c6957d2
  • 2c7bc0ebbbfa282fc3ed3598348d361914fecfea027712f47c4f6cfcc705690f
  • 71dec9789fef835975a209f6bc1a736c4f591e5eeab20bdff63809553085b192
  • 83b27e52c420b6132f8034e7a0fd9943b1f4af3bdb06cdbb873c80360e1e5419
  • f5a80b08d46b947ca42ac8dbd0094772aa3111f020a4d72cb2edc4a6c9c37926
  • 15d024631277f72df40427b8c50e354b340fac38b468f34826cc613b4650e74c
  • 155bccbd11066ce5bf117537d140b920f9b98eaa0d3b86bdc8a04ac702a7a1ef
  • 4dcff9a3a71633d89a887539e5d7a3dd6cc239761e9a42f64f42c5c4209d2829malware.news.

Domains & IP Addresses

The campaign leverages aged domains and cloud subdomains to host payloads and serve as DNS C2. Block or sinkhole traffic to these domains/IPs and monitor for similar patterns:

  • lvprocurement[.]com, kprocurement[.]com, lamyconsulting[.]com, trilineconsulting[.]com, hancockconsulting[.]com, caultonconsulting[.]com, chipmanconsulting[.]com, kgmstrategy[.]com, crosleyconsulting[.]com, humcrm[.]com, tollcrm[.]com, atriocrm[.]com, vnrsales[.]com, zappiercrm[.]com, crmforretailers[.]commalware.news.
  • 172.210.58[.]69, 212.83.190[.]143, 5.180.221[.]108, 185.180.221[.]108malware.news.
  • Heroku hostnames: signstream-docs-de3fa399b173[.]herokuapp[.]com, collab-sign-8e36fa762841[.]herokuapp[.]com, viewshare-4a47630892e1[.]herokuapp[.]com, legal-sign-8ec8b9f1edb2[.]herokuapp[.]com, docsign-hub-3295a03470c3[.]herokuapp[.]commalware.news.

Process & Persistence Indicators

  • PowerShell execution with unusual command‑line arguments referencing local ZIP archives and marker strings.
  • Creation of scheduled tasks or modification of TypeLib registry keys associated with suspicious file names.
  • Mutex names derived from the host’s Product ID, install date and serial number.
  • DNS queries containing long subdomains with random characters, repeated prefixes and suffixes (e.g., ul44mg.<id>.<timestamp>.<domain>), often using the TXT record typemalware.news.

Mitigation and Prevention

User Awareness & Social‑Engineering Defenses

  • Validate contact form submissions – Enforce policies that require inbound enquiries to be verified via secondary channels before engaging in business discussions. Be wary of requests to sign NDAs or review “AI transformation” documents from unknown sourcesmalware.news.
  • Security awareness training – Educate employees on social‑engineering techniques. Stress that attackers may engage in prolonged conversations and use legitimate file‑sharing platforms to deliver payloads.
  • Phishing simulation – Conduct regular phishing exercises to gauge employee responses and reinforce caution with unexpected documents or links.

Email & Web Controls

  • URL & attachment scanning – Deploy email security solutions that analyse attachments in a sandbox and extract scripts from archives. Look for hidden scripts after marker strings and disable macros and shortcuts by default.
  • Block LNK files – Restrict execution of Windows shortcut files received via email or downloaded from the internet, or treat them as high‑risk attachments.
  • Zero‑trust access for web forms – Isolate web‑form submissions from production email flows. Use web application firewalls to inspect requests and identify automated or suspicious patterns.

Endpoint Detection & Response (EDR)

  • Behaviour‑based detection – Fileless malware is difficult to detect with signature‑based antivirus because it operates in memoryportnox.com. Use EDR solutions that monitor process behaviour, memory allocation, PowerShell command lines and API resolution patterns. Look for modules that hunt for anomalies such as API hashing loops or reflection loading.
  • Script block logging & audit – Enable PowerShell logging with ModuleLogging, ScriptBlockLogging and Transcription. Monitor for encoded scripts and Base64 payloads. Correlate logs with user context to detect unauthorized usage.
  • Least privilege & application control – Limit users’ ability to execute PowerShell or WMI commands. Employ application whitelisting to block unapproved executables, including scripting enginesportnox.com.
  • Memory scanning & virtualization – Use tools capable of scanning RAM for known shellcode patterns and hooking detection. Detecting ROR4 hashing loops or anomalies in DNS query generation can indicate MixShell infections.

DNS and Network Monitoring

DNS tunnelling exploits the ubiquity of DNS to hide malicious traffic. Palo Alto Networks recommends a layered approach for prevention, detection and mitigationpaloaltonetworks.com:

Detection

  • Analyze DNS query payloads – Look for long subdomains, high‑entropy strings and numerical patterns indicative of Base32/Base64 encodingpaloaltonetworks.com.
  • Inspect record types – Excessive TXT records or unusual record types can signal tunnellingpaloaltonetworks.com.
  • Monitor DNS traffic volume – DNS tunnelling typically requires large numbers of queries to the same domain; high query rates with varied subdomains should raise suspicionpaloaltonetworks.com.
  • Track activity per client – Abnormally high DNS activity from a single endpoint can suggest beaconing or data exfiltrationpaloaltonetworks.com.
  • Correlate domain history – Newly registered domains or domains communicating with internal hosts before appearing in public DNS may be maliciouspaloaltonetworks.com.
  • Use statistical analysis tools – Measure label lengths, character entropy and meaningful substring ratios to detect anomaliespaloaltonetworks.com.

Mitigation

  • Redirect queries through internal resolvers – Force endpoints to use enterprise DNS servers to centralise monitoringpaloaltonetworks.com.
  • Sinkhole malicious domains – When a domain is confirmed malicious, reroute it to a sinkhole to disrupt C2 communicationpaloaltonetworks.com. Log follow‑up traffic to catch fallback attempts.
  • Enforce query size limits – Set thresholds on DNS label lengths; many tunnelling tools rely on oversized queriespaloaltonetworks.com.
  • Inspect and log DNS responses – Malicious payloads can hide in TXT or CNAME responses; logging responses helps spot encoded datapaloaltonetworks.com.
  • Use network detection and response (NDR) – Behavioural analytics can identify tunnelling based on deviations from baseline trafficpaloaltonetworks.com.
  • Block unknown record types – If your environment doesn’t require certain DNS record types, consider blocking thempaloaltonetworks.com.

Prevention

  • Deploy DNS security solutions – Use services that inspect DNS traffic for signs of tunnelling and integrate threat intelligencepaloaltonetworks.com.
  • Filter domain access by reputation – Block low‑reputation domains or those tied to C2 activitiespaloaltonetworks.com.
  • Encrypt internal DNS with DoT/DoH – This secures legitimate DNS traffic and provides control over resolverspaloaltonetworks.com.
  • Limit internet access – Restrict endpoints’ ability to query external DNS resolvers based on role or device typepaloaltonetworks.com.
  • Update endpoint controls – Many tunnelling tools rely on malware already present; preventing initial infections reduces downstream tunnellingpaloaltonetworks.com.
  • Educate users – Discourage installation of unapproved VPNs or consumer applications that may use DNS tunnellingpaloaltonetworks.com.

Hardening & Incident Response

  • Network segmentation – Separate sensitive networks from general user segments. Use strict firewall rules to limit lateral movement should an infection occur.
  • Regular patching – Keep operating systems and applications up to date. While MixShell uses social engineering rather than software vulnerabilities, unpatched systems may facilitate follow‑on exploitation.
  • Threat hunting – Conduct proactive hunts in DNS logs, PowerShell transcripts and memory dumps to identify signs of MixShell or similar backdoors. Leverage YARA rules to detect the ROR4 hashing routine.
  • Incident response plan – Prepare a plan for isolating infected hosts, rotating credentials and analysing network traffic. Because DNS tunnelling can exfiltrate data slowly, immediate containment is vital.

Risk Assessment

The threat score of 82 reflects a high‑risk campaign. Several factors contribute to this assessment:

  1. Sophisticated social engineering (weight 20 %) – The ZipLine campaign reverses the typical phishing flow by using contact forms and multi‑week conversationsmalware.news. This patient approach can bypass email security and trick even vigilant employees.
  2. Stealth and persistence (weight 25 %) – MixShell operates entirely in memory, resolving APIs via hashing and encrypting its configurationmalware.news. The PowerShell variant adds anti‑analysis checks and scheduled tasks for persistencemalware.news.
  3. Covert command and control (weight 20 %) – DNS tunnelling is difficult to detect. According to Palo Alto Networks, DNS queries can be abused for data exfiltration, unauthorized access, C2 channels and network mappingpaloaltonetworks.com. MixShell’s fallback to HTTP increases reliability and complicates blocking.
  4. Targeted industries & potential impact (weight 20 %) – Supply‑chain‑critical sectors are high‑value targets. Compromise can result in intellectual‑property theft, production disruption, financial loss and possible downstream attacks.
  5. Uncertain attribution but possible cybercriminal motives (weight 10 %) – Overlaps with UNK_GreenSec infrastructure suggest experienced actors seeking financial gainmalware.news.
  6. Mitigation options (mitigating factor) – Although detection is challenging, organizations can implement behavioural EDR, DNS security solutions and robust user training to reduce risk.

Considering these factors, we assign a High risk rating. Organisations in the targeted sectors should treat MixShell as a serious threat and enhance their security posture accordingly.

Conclusion

The ZipLine/MixShell campaign illustrates the convergence of social engineering, fileless malware and DNS tunnelling. By hijacking the victim’s own contact form to initiate communication, the attackers bypass traditional phishing defences and build trust over weeksmalware.news. The eventual payload, MixShell, runs exclusively in memory, resolves system APIs via hashing and encrypts its configuration, thwarting signature‑based detectionmalware.news. Its ability to communicate via DNS TXT records with HTTP fallback, combined with a wide range of commands and a reverse proxy, enables covert control and lateral movementmalware.news. The campaign targets high‑value industries in the U.S. supply chain and appears linked to a broader cybercriminal ecosystemmalware.news.

Defence against MixShell requires layered security. Organisations should verify inbound form submissions, train staff to recognise prolonged social engineering, and block suspicious file types. Behaviour‑based EDR, robust PowerShell logging and application whitelisting are essential to detect fileless malwareportnox.com. Network defenders must monitor DNS for tunnelling indicators, enforce query limits and sinkhole malicious domainspaloaltonetworks.com. Deploying DNS‑aware security solutions, restricting DoH/DoT and keeping endpoints patched further reduces the attack surfacepaloaltonetworks.com. By combining vigilance, technical controls and incident response readiness, organisations can mitigate the risk posed by MixShell and similar in‑memory backdoors.

Sources

The Hacker News - MixShell Malware Delivered via Contact Forms Targets U.S. Supply Chain Manufacturers

IBM X-Force Exchange - ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies