MixShell in-memory implant delivered via malicious .lnk files
Malware Activity
Summary
Hide ▲
Show ▼
MixShell is being delivered through a malicious .lnk shortcut, giving the payload a stealthy path into targeted organizations and making detection harder. The implant runs in memory, adds command-and-control and persistence, and can survive reboots by reactivating itself. That combination increases the risk of long-lived compromise after a user opens the weaponized archive.
Related Happenings
SleepyDuck malicious Open VSX extension
Malware Activity
First: 03.11.2025 20:08
Last: 03.11.2025 20:08
Sources 1
About this happening:
A malicious **Open VSX** extension named **juan-bianco.solidity-vlang** was updated to deliver the **SleepyDuck** remote access trojan, putting **Solidity developers** at risk of...
SleepyDuck malicious Open VSX extension
Malware ActivityAbout this happening: A malicious **Open VSX** extension named **juan-bianco.solidity-vlang** was updated to deliver the **SleepyDuck** remote access trojan, putting **Solidity developers** at risk of...
Timeline
-
27.08.2025 23:35 1 articles · 9mo ago
ZipLine disclosure of MixShell delivery via malicious .lnk
Initial DisclosureCheck Point describes a financially motivated phishing campaign tracked as ZipLine in which target organizations are lured through Contact Us forms, drawn into long email exchanges, and finally sent a weaponized zip file containing a malicious .lnk shortcut. Opening the shortcut launches PowerShell, extracts a hidden script from the archive, and deploys MixShell in memory with command-and-control and registry-based persistence, while the campaign uses abandoned or dormant domains and has reached dozens of organizations across manufacturing and other industries.
Show sources
- 'ZipLine' Phishers Flip Script as Victims Email First — www.darkreading.com — 27.08.2025 23:35