Threat actors have been hacking into surface transportation companies to deploy remote access tools and hijack shipments to steal physical goods, Proofpoint reports.
The attack chain starts with a compromised broker load board account – a marketplace used for booking loads for trucks – that is used to post a fake load.
The hackers then wait for a carrier to inquire about the load and, when that happens, they respond with emails containing malicious URLs, which are set up to deliver remote monitoring and management (RMM) tools.
Additionally, the threat actors have been observed leveraging compromised email accounts to inject malicious URLs and content into existing conversations, as well as launching direct email campaigns against carriers, freight brokerage entities, and integrated supply chain providers.
As part of nearly two dozen campaigns observed over the past several months, the hackers have been deploying RMM tools such as Fleetdeck, LogMeIn Resolve, N-able, PDQ Connect, ScreenConnect, and SimpleHelp, sometimes using them in tandem.
“Once initial access is established, the threat actor conducts system and network reconnaissance and deploys credential harvesting tools such as WebBrowserPassView. This activity indicates a broader effort to compromise accounts and deepen access within targeted environments,” Proofpoint notes.
Using the deployed RMM tools, the threat actors take control of the carrier’s system, booking loads in the victim’s name, and coordinating transportation. By manipulating the victim’s scheduling and dispatch systems, the attackers divert valuable shipments to their own operatives.
The purpose of the attacks is cargo hijacking for financial gain. Cargo theft causes over $30 billion in losses each year and is mainly conducted by organized criminal groups, with Brazil, Chile, Germany, India, Mexico, South Africa, and the US being the hotspots for such activities.
“Proofpoint assesses with high confidence that the threat actors are working with organized crime groups. The stolen cargo most likely is sold online or shipped overseas. Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics,” Proofpoint notes.
While the attacks were initially observed in June, the associated infrastructure has been online since at least January 2025, and the attackers appear to have deep knowledge of the software, services, and policies within the cargo supply chain.
A separate but likely related cluster of activity, observed between 2024 and March 2025, has targeted ground transportation organizations with information stealers such as DanaBot, Lumma Stealer, NetSupport, and StealC.
“Regardless of the ultimate payload, stealers and RMMs serve the same purpose: remotely access the target to steal information. However, using RMM tools can enable threat actors to fly further under the radar,” Proofpoint says.
As part of the recent attacks, the hackers have targeted companies of all sizes, taking an opportunistic approach to compromise any carrier that responds to their fake posts.
Related: Major US Telecom Backbone Firm Hacked by Nation-State Actors
Related: Canada Says Hackers Tampered With ICS at Water Facility, Oil and Gas Firm
Related: GAO Tells Coast Guard to Improve Cybersecurity of Maritime Transportation System
Related: CISA Releases Cyber Defense Plan to Reduce RMM Software Risks
