MixShell
MixShell is a custom stealthy in-memory backdoor/shellcode implant associated with the ZipLine campaign and later Russia-attributed fake-NDA lure activity linked in reporting to UNK_GreenSec. It has been used against supply chain-critical industries, especially U.S.-based manufacturing organizations, with additional victims reported in Singapore, Japan, Switzerland, and later Europe including the UK, Poland, Italy, and the Czech Republic. Delivery observed in ZipLine relied on social engineering through victims’ public contact forms, prolonged business-themed conversations, and fake NDA or assessment-themed lures that led victims to download malicious ZIP archives, often hosted on herokuapp.com. The ZIPs contained lure documents and a malicious LNK that launched a PowerShell loader, which searched for the original ZIP, extracted an embedded script from ZIP binary data after a hardcoded marker, performed an AMSI bypass, copied files into ProgramData, opened a lure document, established persistence via COM TypeLib hijacking, and executed MixShell in memory. A PowerShell-based MixShell variant was also reported; it added anti-debugging and sandbox checks, used scheduled-task persistence, and executed via conhost.exe. MixShell resolves Windows APIs using a custom ROR4 hashing algorithm, stores configuration after the shellcode body with hex-encoded/XOR-encrypted values, creates a mutex that also serves as a C2 identifier, and primarily uses DNS TXT tunneling for command and control with HTTP fallback after repeated DNS failures. Reported capabilities include command execution, file operations, pipe-based interactive sessions, reverse proxying, and persistence. Tactical overlaps reported between MixShell/ZipLine activity and later PowMix activity included ZIP-based payload concealment, Windows scheduled-task persistence, CRC32-based bot ID generation, and abuse of herokuapp.com for C2 infrastructure. Associated infrastructure in reporting included herokuapp-hosted payload delivery and domains such as tollcrm[.]com, humcrm[.]com, vnrsales[.]com, atriocrm[.]com, and zappiercrm[.]com, with 172.210.58[.]69 identified as an infrastructure node.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
UNK_GreenSec NDA lures (Aug 2025) -- Russia-attributed campaign using fake NDA documents to deliver the MixShell backdoor.
"The tooling also appears to have evolved into newer iterations of MixShell..."
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesThis campaign shares tactical overlaps with the older ZipLine campaign... including... Windows-scheduled task persistence... PowMix names the scheduled task by concatenating the Bot ID and Configuration file hash.
In the current campaign, the PowMix botnet payload is delivered via an LNK triggered PowerShell loader that extracts it from a ZIP archive data blob, bypasses AMSI, and executes the decrypted script directly in memory.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueThe script parses the malicious ZIP file to locate a specific marker that is hardcoded, such as zAswKoK. This marker is treated as a delimiter, enabling the extraction of a hidden, encoded command that is embedded within the ZIP file data blob.
Collection
1 techniqueThis campaign shares tactical overlaps with the older ZipLine campaign... including identical ZIP-based payload concealment.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware previously deployed in the ZipLine campaign and referenced here due to tactical overlaps with PowMix, including ZIP-based concealment, scheduled task persistence, CRC32-based bot ID generation, and Heroku-based C2 abuse.
Referenced as the backdoor payload used in a separate Russia-attributed fake-NDA campaign.
Referenced as a different payload family delivered via fake NDA lures in a separate campaign.
Evolving tooling used in the ZipLine phishing campaign; uses herokuapp domains for C2.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.