Attachment: Malicious zip file matching zipline campaign

calendar Jun 25, 2026  ยท
Share on: linkedin copy

Detects inbound ZIP attachments containing content that matches observed artifacts from a ZipLine campaign reported on by Telekom Security.

Sublime rule (View on GitHub)

 1name: "Attachment: Malicious zip file matching zipline campaign"
 2description: "Detects inbound ZIP attachments containing content that matches observed artifacts from a ZipLine campaign reported on by Telekom Security."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "zip"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches, .name in ("zipline_delivery_telekom"))
10          )
11  )  
12attack_types:
13  - "Malware/Ransomware"
14tactics_and_techniques:
15  - "LNK"
16detection_methods:
17  - "Archive analysis"
18  - "YARA"
19  - "Content analysis"
20  - "Threat intelligence"
21id: "ca3e4844-2c3a-50de-86f0-f5ddee14524b"
to-top