Bad actors are increasingly focusing their attacks on trucking and logistics companies, aiming to infect their systems with remote monitoring and management (RMM) software to ultimately facilitate the theft of physical cargo freight.
Cyber-Enabled Cargo Theft
The threat cluster, which Proofpoint believes has been active since at least June 2025, is thought to be collaborating with organized crime groups to break into the surface transportation industry. The primary goal is to steal physical goods, with food and beverage
products being the most targeted commodities in these cyber enabled heists. Researchers Ole Villadsen and Selena Larson reported that the stolen cargo is most likely sold online or shipped overseas. The attackers infiltrate companies to fraudulently bid on real shipments of goods, which they then steal.
These campaigns share similarities with attacks disclosed in September 2024 that targeted North American transportation companies with information stealers and remote access Trojans (RATs) such as Lumma Stealer and NetSupport RAT, though there is no evidence that the same actors are responsible.
Intrusion Methods
In the current wave of intrusions, the unknown attackers use multiple methods. They hijack existing email conversations using compromised accounts, target asset based carriers and freight brokerage firms with spear phishing emails, and post fraudulent freight listings using hacked accounts on load boards.
The malicious emails contain URLs that lead to booby trapped MSI installers or executables. These deploy legitimate RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, and N able. In some cases, multiple programs are used together, such as using PDQ Connect to drop and install ScreenConnect.
Once remote access is established, the attackers conduct system and network reconnaissance, followed by dropping credential harvesting tools like WebBrowserPassView to burrow deeper into the corporate network. In at least one documented case, the threat actor weaponized this access to delete existing bookings, block dispatcher notifications, book loads under the compromised carrier’s name, and coordinate the transport of the stolen goods.
The use of RMM software gives the attackers several advantages: it removes the need to create custom malware and allows them to operate under the radar, since these legitimate tools are common in enterprise environments and are typically not flagged as malicious by security solutions. Proofpoint noted that RMM installers are often signed and legitimate, which helps them evade anti virus or network detection.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
