Hackers are using fake NDAs to hit US manufacturers in major new phishing scam

Hackers reach out to companies via a “Contact Us” website form
They then talk with the victims for weeks before deploying the malware
The hackers are attacking with custom-built backdoors

Cybercriminals are trying to deliver backdoor malware to US-based organizations by tricking them to sign fake non-disclosure agreements (NDA), experts have warned.

A new report from security researchers Check Point outlined how in the campaign, the miscreants pose as a US-based company, looking for partners, suppliers, and similar.

Often, they buy abandoned or dormant domains with legitimate business histories to appear authentic. After that, they reach out to potential victims, not via email (as is standard practice) but through their “Contact Us” forms or other communication channels provided on the website.

Dropping MixShell

When the victims get back to their inquiry, it’s usually via email, which opens the doors to deliver the malware.

However, the attackers don’t do it immediately. Instead, they build rapport with the victims, going back and forth for weeks until, at one point, they ask their victims to sign an attached NDA.

The archive contains a couple of documents, including clean PDF and DOCX files to throw the victims off, and a malicious .lnk file that triggers a PowerShell-based loader.

This loader ultimately deploys a backdoor called MixShell, which is a custom in-memory implant featuring a DNS based command and control (C2) and enhanced persistence mechanisms.

Check Point did not discuss the number of potential victims, but it did say that they are in the dozens, varying in size, geography, and industries.

The majority (around 80%) are located in the United States, with Singapore, Japan, and Switzerland, also having a notable number of victims. The companies are mostly in industrial manufacturing, hardware & semiconductors, consumer goods & services, and biotech & pharma.

“This distribution suggests that the attacker seeks entry points across wealthy operational and supply chain-critical industries instead of focusing on a specific vertical,” Check Point argues.

The researchers couldn’t confidently attribute the campaign to any known threat actor, but said that there is evidence pointing to the TransferLoader campaign, and a cybercriminal cluster tracked as UNK_GreenSec.