Attackers Target Trucking and Freight Firms to Steal Cargo
Key Takeaways A sophisticated cybercrime campaign is targeting trucking and freight logistics companies. Attackers are using remote access tools to digitally infiltrate firms and divert physical...
Key Takeaways
- A sophisticated cybercrime campaign is targeting trucking and freight logistics companies.
- Attackers are using remote access tools to digitally infiltrate firms and divert physical cargo shipments, resulting in millions of dollars in losses.
- The campaign, active since at least June 2025, leverages phishing, compromised load board accounts, and malicious executable files to install legitimate remote monitoring and management (RMM) software.
- Proofpoint researchers identified this threat cluster, noting its collaboration with organized crime groups.
- Defenders should restrict unauthorized RMM tool installation, implement robust network detection, and enhance user training against malicious email links.
Cybercriminals Leverage Digital Infiltration for Physical Cargo Heists
A new, alarming trend has emerged in the realm of cybercrime, with threat actors actively targeting trucking carriers and freight brokers. Their objective extends beyond traditional data theft, focusing instead on digitally compromising logistics companies to orchestrate the theft of physical cargo, leading to losses totaling millions of dollars.
Table Of Content
While cargo theft is not a novel crime, its methodology has undergone a dramatic transformation. Data from the National Insurance Crime Bureau (NICB) indicates that annual cargo theft losses consistently reach billions of dollars, a figure that continues to climb. In 2025, North American cargo theft losses escalated to an estimated $6.6 billion, a significant portion driven by these digitally facilitated attacks, according to fleet management data. The era of criminals relying on brute force to steal freight has largely given way to sophisticated digital tactics.
Today’s cybercriminals employ laptops, carefully crafted phishing emails, and remote access software to redirect valuable shipments without ever physically interacting with the goods. The stolen cargo, which spans a wide array of products from energy drinks and food items to high-value electronics, is rapidly sold online or shipped internationally, often before the affected companies even realize a theft has occurred.
This evolving threat campaign underscores a significant shift in the operational strategies of organized crime groups in the digital age. As global supply chains transitioned online, criminal elements swiftly adapted. The widespread digitization of both domestic and international logistics created new vulnerabilities, providing organized theft groups with the means to exploit these gaps using increasingly sophisticated cyber capabilities. Threat actors are now compromising trucking carriers and freight brokers, subsequently leveraging this unauthorized access to fraudulently bid on cargo shipments, arrange transportation through legitimate channels, and ultimately divert the goods to their own illicit networks.
Analysts and researchers at Proofpoint identified this distinct threat cluster, asserting with high confidence that these actors are collaborating with organized crime to execute these complex attacks. The campaign has been confirmed active since at least June 2025, although forensic evidence suggests activity may have begun as early as January 2025. Since August 2025, Proofpoint has documented nearly two dozen separate campaigns, with individual campaign volumes ranging from fewer than 10 to over 1,000 malicious messages. Researchers also noted that these threat actors do not appear to target specific companies, instead casting a wide net that includes everything from small, family-owned businesses to large-scale transport enterprises.
Attack Vectors and Initial Compromise
The attackers employ three primary methods to gain initial entry into target systems. First, they post fraudulent freight listings on compromised load board accounts, enticing legitimate carriers to respond. Second, they hijack existing email threads using compromised accounts and inject malicious URLs directly into ongoing conversations. Third, they launch direct email campaigns against larger entities, including asset-based carriers, freight brokerages, and integrated supply chain providers. In all scenarios, the emails contain malicious links that lead to executable files (either .exe or .msi formats). When clicked, these files silently install a remote monitoring and management (RMM) tool, granting the attackers full control over the victim’s machine.
How Attackers Turn a Remote Login Into a Cargo Heist
Once a victim installs the RMM tool, the attacker initiates a systematic process that bridges the gap between the digital compromise and a physical crime. The threat cluster has been observed deploying legitimate IT tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. The very legitimacy of these tools, commonly used by businesses for remote support, makes them highly effective as an attack vector. Because the installers are digitally signed and appear trustworthy, conventional antivirus software and network detection tools are significantly less likely to flag them as malicious.
After establishing remote access, the attacker conducts thorough system reconnaissance, meticulously searching for credentials, active load bookings, and dispatcher contact information. Subsequently, credential harvesting tools, such as WebBrowserPassView, are deployed to extract saved passwords from the victim’s web browser.
Researchers from Proofpoint have also uncovered public discussions on social media platforms that precisely mirror the phishing and account takeover activities observed in these campaigns. This further corroborates the widespread sharing of these attack methodologies among various threat actors.
The final stage is where the cyber intrusion culminates in a tangible, real-world crime. Attackers delete existing freight bookings, block legitimate dispatcher notifications, and add their own device to the dispatcher’s phone extension. They then rebook the load under the compromised carrier’s name and coordinate the actual transport of the stolen goods, all while the legitimate company remains completely unaware of the ongoing theft.
What You Should Do
- Restrict RMM Tool Installation: Implement strict policies to prevent the download and installation of any Remote Monitoring and Management (RMM) tooling not explicitly approved or confirmed by your organization’s IT administrators.
- Enhance Network Detection: Deploy robust network detection rules, including the utilization of the Emerging Threats ruleset and comprehensive endpoint protection, to alert on any suspicious network activity related to RMM servers.
- Exercise Caution with Executable Files: Never download or install executable files (.exe or .msi) delivered via email from external senders, especially if unsolicited or unexpected.
- Strengthen User Training: Conduct regular user training programs to educate employees on how to identify and report suspicious emails, links, and social engineering attempts to their security teams. Organizations at risk of cargo theft may also benefit from reviewing the National Motor Freight Traffic Association’s Cargo Crime Reduction Framework for additional guidance.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.