A new wave of cyberattacks targeting the trucking and logistics sector, using remote monitoring and management (RMM) tools to compromise networks and steal physical cargo, according to new research from Proofpoint.
The threat cluster, active since at least June 2025, is believed to be working in tandem with organized crime groups to breach companies in the surface transportation industry. The ultimate goal is to steal high-demand goods, particularly food and beverage products, and reselling them online or overseas.
“Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics,” the researchers noted in the report.
The latest attacks are similar to incidents observed in September 2024 that used information stealers and remote access trojans (RATs) like Lumma Stealer, StealC, and NetSupport RAT. However, there is currently no evidence linking the two operations.
In the ongoing campaign, attackers have used a combination of spear-phishing emails, hijacked business conversations, and compromised accounts to post fake freight listings on load boards. When unsuspecting carriers respond, they receive emails containing malicious links leading to infected installers or executables that deploy legitimate RMM tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve.
Once inside a company’s systems, the attackers conduct network reconnaissance, and steal login credentials using tools like WebBrowserPassView. At least one incident saw intruders deleting bookings, blocking dispatcher notifications, and even adding their own devices to phone extensions to book fraudulent shipments under compromised carrier names.
“Based on campaigns observed by Proofpoint, the threat actor does not appear to attack specific companies, and targets range from small, family-owned businesses to large transport firms,” the researchers said. “The threat actor appears to be opportunistic about the carriers that it targets and will likely attempt to compromise any carrier who responds to the fake load posting. Once a threat actor has compromised a carrier, they probably will use their knowledge of the industry and any insider information derived from other compromises to identify and bid on loads that are likely to be profitable if stolen.”
