Bad actors are increasingly training their sights on trucking and logistics companies with an aim to infect them with remote monitoring and management (RMM) software for financial gain and ultimately steal cargo freight.
The threat cluster, believed to be active since at least June 2025 according to Proofpoint, is said to be collaborating with organized crime groups to break into entities in the surface transportation industry with the end goal of plundering physical goods. The most targeted commodities of the cyber-enabled heists are food and beverage products.
“The stolen cargo most likely is sold online or shipped overseas,” researchers Ole Villadsen and Selena Larson said in a report shared with The Hacker News. “In the observed campaigns, threat actors aim to infiltrate companies and use their fraudulent access to bid on real shipments of goods to ultimately steal them.”
The campaigns share similarities with a previous set of attacks disclosed in September 2024 that involved targeting transportation and logistics companies in North America with information stealers and remote access trojans (RATs) such as Lumma Stealer, StealC, or NetSupport RAT. However, there is no evidence to suggest that they are the work of the same threat actor.
In the current intrusion wave detected by Proofpoint, the unknown attackers have leveraged multiple methods, including compromised email accounts to hijack existing conversations, targeting asset-based carriers, freight brokerage firms, and integrated supply chain providers with spear-phishing emails, and posting fraudulent freight listings using hacked accounts on load boards.
“The actor posts fraudulent freight listings using compromised accounts on load boards and then sends emails containing malicious URLs to carriers who inquire about the loads,” it said. “This tactic exploits the trust and urgency inherent in freight negotiations.”
Needless to say, the malicious URLs embedded within the messages lead to booby-trapped MSI installers or executables that deploy legitimate RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. In select instances, several of these programs are used together, with PDQ Connect being used to drop and install ScreenConnect and SimpleHelp.
Once remote access is obtained, the attackers move to conduct system and network reconnaissance, followed by dropping credential harvesting tools such as WebBrowserPassView to capture additional credentials and burrow deeper into the corporate network.
In at least one case, the threat actor is believed to have weaponized the access to delete existing bookings and block dispatcher notifications, and then added their own device to the dispatcher’s phone extension, booked loads under the compromised carrier’s name, and coordinated the transport.
The use of RMM software offers several advantages. First, it obviates the need for threat actors to devise bespoke malware. Second, it also allows them to fly under the radar, owing to the prevalence of such tools in enterprise environments, and are typically not flagged as malicious by security solutions.
“It’s fairly easy for threat actors to create and distribute attacker-owned remote monitoring tools, and because they are often used as legitimate pieces of software, end users might be less suspicious of installing RMMs than other remote access trojans,” Proofpoint noted back in March 2025. “Additionally, such tooling may evade anti-virus or network detection because the installers are often signed, legitimate payloads distributed maliciously.”
