Crooks exploit RMM software to hijack trucking firms and steal cargo
November 04, 2025
Hackers target trucking firms with RMM tools to steal freight, teaming with organized crime to loot goods, mainly food and beverages.
Cybercriminals are targeting trucking and logistics firms with RMM tools (remote monitoring and management software) to steal freight. Active since June 2025, the group works with organized crime to loot goods, mainly food and beverages.
Crooks infiltrate logistics firms, hijack cargo bids, and steal goods, fueling the rise of cyber-enabled freight theft.
“Proofpoint is tracking a cluster of cybercriminal activity that targets trucking and logistics companies and infects them with RMM tooling for financial gain.” reads the report published by Proofpoint. “Based on our ongoing investigations paired with open-source information, Proofpoint assesses with high confidence that the threat actors are working with organized crime groups to compromise entities in the surface transportation industry — in particular trucking carriers and freight brokers — to hijack cargo freight, leading to the theft of physical goods. The stolen cargo most likely is sold online or shipped overseas.”
The researchers warn that these crimes can disrupt supply chains and cost companies millions.
Cargo theft causes about $34 billion in annual losses, often driven by organized crime groups. Proofpoint reports cyber-enabled cargo theft schemes that exploit transport systems to steal goods, particularly in hotspots such as Brazil, Mexico, the U.S., Germany, and India. These attacks use social engineering and supply-chain digitization gaps to post fake freight loads after hijacking broker accounts, enabling remote theft of shipments.
Since at least January 2025, a threat cluster targeting trucking and logistics companies has used RMM and remote access tools, including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve, to gain initial access, perform system reconnaissance, harvest credentials, and maintain persistent control. PDQ Connect has been observed deploying multiple RMMs in tandem. Related campaigns date back to 2024 with DanaBot, NetSupport, Lumma Stealer, and StealC, suggesting a broader operational timeline.
Using compromised load boards, email thread hijacking, and direct campaigns, actors deliver malicious URLs leading to executables or MSI files that install RMMs, enabling full machine control.
“The threat cluster has employed three tactics to deliver RMM tools” continues the report published by Proofpoint.
- Compromising load boards. The actor posts fraudulent freight listings using compromised accounts on load boards and then sends emails containing malicious URLs to carriers who inquire about the loads. This tactic exploits the trust and urgency inherent in freight negotiations (see Figure 3).
- Email thread hijacking. Using compromised email accounts, the threat actors inject malicious content and URLs into existing conversations (see Figure 4).
- Direct targeting via email campaigns. The cluster has launched direct email campaigns against larger entities, including asset-based carriers, freight brokerage firms, and integrated supply chain providers. Gaining access to these entities may allow the actors to identify high-value freight loads or uncover other opportunities to further their objectives—such as posting fraudulent loads on load boards (see Figure 5).
These attacks exploit trust in freight negotiations, targeting small family businesses to large carriers opportunistically.
Proofpoint observed phishing campaigns where emails deliver malicious .exe or .msi files that install remote management tools (RMM), giving attackers full system access. Threat actors create fake transport-related domains to appear legitimate and opportunistically target any carrier responding to fraudulent load postings. After compromise, they exploit insider data to hijack or steal shipments. One Reddit post described attackers using RMM tools to block dispatchers, delete bookings, and fraudulently transport cargo under the victim’s name.
The campaigns demonstrate a shift toward RMM-first payloads that evade detection and leverage legitimate software for cyber-enabled cargo theft.
“According to NICB, cargo theft losses increased 27 percent in 2024, and losses are expected to increase another 22 percent in 2025. Cargo theft is a profitable criminal enterprise, and based on Proofpoint “data, cybercriminals are increasingly targeting surface transportation entities to steal real, physical goods.” concludes the report. “Proofpoint has observed nearly two dozen campaigns since August 2025 targeting such entities to deliver RMMs. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, trucking firms)
