Malicious actors exploit "Contact Us" pages and fraudulent Non-Disclosure Agreements to carry out phishing scams targeting industrial manufacturing companies.
In a recent cybersecurity development, a sophisticated phishing campaign has been uncovered, targeting companies across multiple sectors worldwide. The campaign, which has been active since August 6, 2025, has particularly affected numerous organizations in the United States, with over 80% of identified targets based there.
The emails, posing as an 'AI Impact Assessment', are designed to lure recipients into reviewing a short questionnaire about their team's workflows. They are disguised as internal initiatives for AI-driven operational changes, adding a sense of legitimacy to the communications.
The campaign has not spared companies in Singapore, Japan, and Switzerland, with organizations in these countries also receiving the malicious emails. The attackers have shown a long-term engagement strategy, engaging in multi-week conversations with victims regardless of company size.
The malicious ZIP archive delivered in these emails contains a PowerShell script, with the ultimate goal of installing a custom in-memory implant/backdoor called "MixShell". This malware uses DNS TXT tunneling with HTTP fallback for Command and Control (C2) communications.
The attackers have been meticulous in their approach, using the "Contact Us" form on target companies' websites to initiate email correspondence. They have also been known to request Non-Disclosure Agreements (NDAs) and imply that the company's leadership has requested the recipient's personal input, implying that their opinion will influence upcoming decisions.
Interestingly, many of the domains used by the attackers match the names of LLCs registered in U.S-based companies, suggesting a level of sophistication in their operations. The domains, originally registered more than five years ago, have clear reputations and legitimate business histories, further adding to their credibility.
The phishing campaign is believed to be financially motivated, with the attackers spending significant time on credible, professional conversations and even requesting NDAs to maintain a veil of legitimacy. The delivered malware, MixShell, is a potent tool that could potentially lead to significant financial losses for affected organizations.
While specific company names in the affected countries have not been detailed in the available sources, it is crucial for all organizations to remain vigilant and ensure their cybersecurity measures are up-to-date to protect against such threats.
