Prolific Threat Actor Focused on Using Malware to Facilitate Cargo Theft
Cybercriminals don’t hold up cargo trucks with a shotgun; they hack transport and logistics firms.
See Also: 5X Faster : Transforming Email Security Operations
Many attacks that target the sector attempt to trick victims into installing malware that deploys remote management and monitoring tools, which attackers use to remotely control a victim’s system and steal credentials, enabling freight diversion and cargo theft, said cybersecurity firm Proofpoint.
In research published Thursday, firm researchers said the largest logistics-targeting threat actor they tracked recently deployed a stealthy new tactic to sneak RMM software onto a victim’s system. Proofpoint first detailed in November 2025 how hackers use RMM, using illicit access to bid on authentic shipments and intercept cargo, often reselling it online or shipping it overseas with help from organized crime groups.
The discovery is thanks to the researchers taking a recent sample of malware and detonating it inside their deception platform, run using software built by Deception Pro, which creates a real-looking but synthetic Active Directory environment.
The threat actor took the bait, believing the infection to be real, which allowed the researchers to monitor malicious activity, including the attacker repeatedly returning to try out new strategies – likely alongside other environments they’d compromised – for more than a month.
Major new findings included the threat actor, likely a small group of individuals, wielding 13 different PowerShell scripts designed to enumerate local accounts, extract browsing history, exfiltrate useful data to attacker-controlled bots on Telegram, as well as “identify hard-coded URLs associated with banking, payments, logistics, fleet services and accounting platforms,” including tax-prep software.
The attacker also installed a number of different types of RMM software onto the decoy system, including SimpleHelp RMM, Pulseway RMM and four different instances of Connectwise ScreenConnect, revealing a heavy focus “on remote administration and redundancy,” the report says.
“The breadth of these targets strongly aligns with financially motivated theft, fraud and cargo diversion operations tied to transportation workflows,” not least because of attackers searching for credentials tied to “fuel card services, fleet payment platforms and freight brokerage systems,” the report says.
The threat actor deployed all of the scripts through hands-on-keyboard activity, rather than as automated follow-ups to an endpoint being infected.
The first thing attackers attempted to do in the decoy environment wasn’t to steal credentials for logistics platforms. Instead, they looked for PayPal use in the browser and also searched for bank account details, cryptocurrency wallets and other valuable data.
“They not only have an expertise in the transportation sector and how to compromise carriers, bid on loads and steal freight, but they also are doing the common thing that most cybercriminals will do, which is look for anything they can monetize, on any machine that they compromise,” Ole Villadsen, staff threat researcher at Proofpoint, told Information Security Media Group.
The threat actor’s campaign began on Feb. 27, when they sent firms in the industry a phishing message with a malicious attachment in the form of a Visual Basic Script, Proofpoint said. If executed, the VBS was designed to download and execute a second-stage PowerShell payload as well as to display “a decoy broker-carrier agreement” to make it look like nothing was amiss, researchers said.
The second stage script built a download URL for a Windows installer file for ScreenConnect – in the form of an .msi file – tied to attacker-controlled infrastructure hosted at amtechcomputers[.]net, then submitted the MSI file download to a third-party service hosted at signer[.]bulbcentral[.]com.
This third-party service turned out to be a code-signing service, which is something the researchers – and a variety of other researchers they queried – had never seen before. By using this service, attackers “re-signed ScreenConnect installers and components with a valid – but fraudulent – code-signing certificate,” says Proofpoint’s report.
Who’s providing this signing service isn’t clear. Villadsen said it’s probably distributed by word of mouth.
In theory, an operating system should flag any piece of software signed using an invalid digital certificate. But because the attacker’s installers and components aren’t being downloaded by the user, but handled by a script, this activity doesn’t always seem to get flagged. When it does, “the warnings are less common and less severe,” Villadsen said.
One thing this campaign reinforces is that “actors love ScreenConnect, that’s their favorite RRM by far.” From late 2024 through early 2025, it was the most-used such tool by attackers in the wild, Villadsen said (see: Attackers Wield Signed ConnectWise Installers as Malware).
This led last June to a certificate authority revoking one of Connectwise ScreenConnect’s signing certificates for violating its trust standards. In response, ConnectWise redesigned the architecture of its installer and migrated to new certificates. Since then, customers using on-premises versions of its software have been required to sign their own clients.
As a result, if criminals now attempt to directly install an illicit copy of ScreenConnect’s software on a target’s system, they risk operating systems, browsers and endpoint security tools intercepting such activity and warning users that they’ve found a fake certificate.
By using the signing-as-a-service capability, attackers have found a way to help route around ScreenConnect’s crackdown.
Villadsen said this reflects in part by how active as well as innovative this financially focused threat actor is. “We see them every week, if not every day, doing operations,” he said, compared to other groups that might have a cadence set to doing activities every few days or even weeks.
Multiple threat actors focus on logistics firms in North America and Europe, contributing to what researchers estimate to be $35 billion in annual, global losses to cargo theft.
Security researchers at startup Have I Been Squatted and threat intelligence firm Ctrl-Alt-Intel in February detailed a phishing-as-a-service platform designed to target the sector that resulted in the theft of over 1,600 unique login credentials.
The researchers said the phishing platform appeared to have been developed by a Russian-speaking coder and marketed on Russian cybercrime forums (see: Phishing Platform Targeting Trucking and Logistics Disrupted).
Villadsen said the threat actor his group tracked appears to have no crossover with operators of the phishing platform. Proofpoint tracks a dozen different threat groups targeting the sector, typically either by hitting victims with payloads that lead to RMM tools or by spoofing legitimate logistics platforms and using phishing campaigns to steal valid credentials.
