Full Report
Bad actors are increasingly training their sights on trucking and logistics companies with an aim to infect them with remote monitoring and management (RMM) software for financial gain and ultimately steal cargo freight. The threat cluster, believed to be active since at least June 2025 according to Proofpoint, is said to be collaborating with organized crime groups to break into entities in the
Analysis Summary
# Threat Actor: Unknown Threat Cluster Targeting Logistics/Freight
## Attribution & Identity
Attribution is currently **Unknown**. The cluster is believed to be active since at least **June 2025** according to Proofpoint. The threat actor is noted to be **collaborating with organized crime groups**.
## Activity Summary
The threat cluster is specifically targeting the **trucking and logistics/surface transportation industry**. Their primary objective is financial gain realized through the **theft of cargo freight**, particularly **food and beverage products**. The stolen cargo is reportedly sold online or shipped overseas. The actors use fraudulent access obtained via RMM implants to bid on real shipments. In one observed case, the actor deleted existing bookings, blocked dispatcher notifications, added their own device to the dispatcher's phone extension, and coordinated the transport of stolen loads.
## Tactics, Techniques & Procedures
- **Initial Access:** Compromised email accounts to hijack existing conversations; Spear-phishing emails targeting asset-based carriers, freight brokerage firms, and integrated supply chain providers.
- **Delivery Method:** Posting fraudulent freight listings on load boards and emailing malicious URLs to inquiring carriers.
- **Malicious Payloads:** Malicious URLs lead to MSI installers or executables that deploy legitimate Remote Monitoring and Management (RMM) tools.
- **Post-Exploitation:** System and network reconnaissance.
- **Credential Access:** Dropping credential harvesting tools like WebBrowserPassView to capture additional credentials.
- **Operational Execution:** Weaponizing RMM access to manipulate bookings and coordinate logistics, effectively stealing the freight.
- **Evasion:** Using legitimate, often signed, RMM software to evade traditional security solutions (AV/network detection).
## Targeting
- Sectors: Trucking, Logistics, Surface Transportation, Freight Brokerage, Integrated Supply Chain Providers.
- Geography: Not explicitly stated, but the focus on global shipping implies international interest, although initial targets include North American transportation elements (based on reference to past campaigns in the region).
- Victims: Asset-based carriers, freight brokerage firms.
## Tools & Infrastructure
- **RMM Tools Used:** ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. (Note: In some cases, multiple RMMs were used concurrently, e.g., PDQ Connect dropping ScreenConnect and SimpleHelp).
- **Credential Harvesting Tools:** WebBrowserPassView.
- **Infrastructure:** Malicious URLs embedded in phishing emails leading to RMM installers. The method involves posting fraudulent listings on load boards, suggesting the use of compromised administrative accounts on those platforms.
## Implications
This threat cluster represents a direct link between cyber intrusion and physical asset theft. The reliance on legitimate RMM software provides a significant stealth advantage, bypassing signature-based defenses. Their collaboration with organized crime highlights a mature, financially motivated operation focused on high-value tangible goods (food/beverage).
## Mitigations
- Increase scrutiny of emails containing malicious URLs, especially those related to urgent freight negotiation or job listings.
- Implement robust email security to detect spear-phishing attempts leveraging compromised accounts.
- Heighten monitoring and behavioral analysis for the deployment and execution of legitimate RMM software (ScreenConnect, PDQ Connect, etc.) that is not standard or approved for use by IT.
- Review and secure accounts used on load boards against fraudulent listing creation.
- Enhance network monitoring to detect post-compromise activities like system reconnaissance and the execution of credential harvesting tools (e.g., WebBrowserPassView).