Hackers use fake NDAs to deliver malware to US manufacturers

Hackers are targeting American industrial and tech firms by abusing their “Contact Us” forms to deliver malware disguised as non-disclosure agreement files, researchers said.

Unlike traditional phishing campaigns where attackers send malicious emails, the hackers behind these attacks first contacted victims through companies’ website forms, making the exchanges appear more credible, according to cybersecurity firm Check Point.

The hackers maintain the conversation for up to two weeks, posing as potential business partners and asking victims to sign non-disclosure agreements. Eventually, they send a contract in a ZIP archive hosted on Heroku, a legitimate cloud platform, which contains custom malware dubbed MixShell.

“The long-term engagement with the victim suggests that the attacker is willing to invest time … possibly tailoring their efforts based on perceived value or ease of compromise,” researchers said in a report on Tuesday.

Most of the victims are U.S. companies, including industrial manufacturers like machinery, metalwork and component producers. The campaign has also gone after firms in hardware, semiconductors, biotech, pharmaceuticals, aerospace, energy, and consumer goods. Some companies in Singapore, Japan, and Switzerland have been targeted as well.

Check Point said not all ZIP archives were malicious, with some containing harmless documents, suggesting the real malware may have been selectively uploaded from the Heroku site depending on a victim’s IP address, browser or other details.

To make the campaign more credible, the attackers used domains tied to real U.S.-registered businesses, some dating back to 2015. In reality, the websites were fake and all copied from the same template, with 'About Us' pages showing a stock photo of White House butlers presented as company founders. By using long-established domains, researchers said, the attackers were able to slip past security filters.

Check Point has not attributed the campaign to a specific threat actor but found that one of the servers used in the operation overlapped with infrastructure tied to a little-known cluster called UNK_GreenSec, which has previously shown links to Russia-aligned cybercriminals. The firm suggests the operation may be financially motivated.