Cybercriminals have increasingly targeted trucking and logistics companies to install remote monitoring and management software and steal cargo, particularly food and beverage consignments, Proofpoint researchers Ole Villadsen and Selena Larson said. Proofpoint attributed the activity to a threat cluster active since at least June 2025 and said the stolen goods are likely sold online or shipped overseas.
Investigators say the attackers use multiple intrusion methods, including compromised email accounts to hijack existing conversations, spear-phishing to carriers and freight brokers, and posting fraudulent freight listings on load boards. Messages to interested carriers contain malicious URLs that install booby-trapped MSI installers or executables.
Once installed, the payloads deploy legitimate remote access tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able and LogMeIn Resolve, sometimes in combination with PDQ Connect used to drop other RMM clients. Attackers then perform system and network reconnaissance, deploy credential harvesting utilities and use compromised access to bid on and arrange real shipments under the victim carrier’s name.
Proofpoint analysts warned that use of legitimate RMM software helps attackers avoid creating bespoke malware and can evade detection because installers are often signed and common in enterprise environments, a point noted by the company in March 2025.
Researchers noted similarities to a set of attacks disclosed in September 2024 that targeted North American transportation firms with information stealers and remote access trojans such as Lumma Stealer, StealC and NetSupport RAT, but said there is no evidence the current intrusions are the work of the same actor.