Cybercriminals are targeting the logistics and freight industry in a new wave of cybersecurity attacks that combine digital compromise with real-world theft. Recent reports from Proofpoint reveal organized groups are using legitimate remote monitoring and management (RMM) software to gain access to trucking and freight companies, bid on real cargo shipments, and ultimately steal physical goods for resale.
Table of Contents
- What Happened
- How the Attack Works
- Why RMM Tools Are Dangerous
- Indicators of Compromise (IOCs)
- How to Protect Your Organization
What Happened
According to Proofpoint, cybercriminals have been running persistent campaigns since at least mid-2025 that focus on trucking and logistics companies across North America. The attackers use RMM tools such as ScreenConnect, SimpleHelp, Fleetdeck, PDQ Connect, N-able, and LogMeIn Resolve to establish stealthy access to company systems. Once inside, they leverage stolen credentials to impersonate legitimate users, interfere with dispatch operations, and arrange fraudulent freight pickups.
In several observed cases, the attackers hijacked accounts on broker load boards and posted fake listings for shipments. When carriers responded, they received malicious URLs that installed RMM software on their computers. After gaining access, the threat actors deleted existing bookings, blocked dispatcher notifications, added their own devices to phone extensions, and coordinated cargo pickups under the names of compromised companies. The stolen goods were later sold online or shipped overseas.
How the Attack Works
Proofpoint analysts describe the attacks as an example of cyber-enabled cargo theft, a hybrid crime that exploits both digital and logistical systems. The intrusion typically begins with a phishing or thread-hijacked email containing a link to an executable or MSI installer. The installers are legitimate, digitally signed RMM payloads that are distributed maliciously.
After the software runs, the attackers gain remote control over the victim system, allowing them to perform reconnaissance, harvest browser passwords with tools like WebBrowserPassView, and move laterally within the network. In some cases, multiple RMMs are chained together, with one tool installing another to deepen persistence and evade detection. Once sufficient access is achieved, the attackers manipulate load board data and communication systems to reroute freight or claim shipments.
Researchers believe this cluster of activity overlaps with other operations that previously distributed malware such as Lumma Stealer, StealC, NetSupport RAT, and DanaBot. However, Proofpoint has not attributed these current campaigns to any named group. The actors appear to be working in coordination with organized crime rings that specialize in physical cargo theft.
Why RMM Tools Are Dangerous
RMM software is typically used by IT administrators to manage devices remotely, but in the wrong hands it offers the same power as a remote access trojan. The increased adoption of RMM tools by attackers reflects a broader shift in the malware threats landscape. These tools are favored because they are legitimate, widely used, and often signed with trusted certificates, allowing them to bypass antivirus and network filters.
Proofpoint observed that 2024 and 2025 brought a sharp rise in RMM-based campaigns as traditional botnets and loaders like IcedID, Bumblebee, and Trickbot were dismantled by law enforcement. As these initial access brokers disappeared, cybercriminals began using legitimate remote access software for infiltration. Because RMMs are common in enterprise environments, victims are less likely to view them as suspicious, making them a near-perfect disguise for an attack.
Indicators of Compromise (IOCs)
The following domains and IP addresses have been associated with recent RMM-based campaigns targeting surface transportation networks:
carrier-packets[.]net confirmation-rate[.]com vehicle-release[.]com nextgen1[.]net rateconfirm[.]net fleetcarrier[.]net dwssa[.]top ggdt35[.]anondns[.]net 147[.]45[.]218[.]66 (SimpleHelp C2) 913375a20d7250f36af1c8e1322d1541c9582aa81b9e23ecad700fb280ef0d8c (Fleetdeck SHA256)
Organizations that detect communication with these addresses should treat it as a potential compromise and investigate immediately.
How to Protect Your Organization
To defend against RMM abuse, Proofpoint and other cybersecurity experts recommend several best practices:
- Restrict the download and installation of RMM tools to those explicitly approved by IT administrators.
- Monitor for any outbound traffic to known RMM domains or command servers.
- Educate employees in transportation and logistics departments about fraudulent load postings and suspicious email links.
- Use endpoint protection such as Malwarebytes and network detection systems to identify signed but malicious RMM activity.
- Regularly audit active RMM sessions and user permissions to prevent unauthorized remote access.
Industry groups such as the National Motor Freight Traffic Association have published cargo crime reduction frameworks that can help companies strengthen both physical and digital defenses. Given that the U.S. National Insurance Crime Bureau estimates cargo theft costs exceed $34 billion annually, the impact of these cyber-enabled thefts is significant.
Cyber-enabled cargo theft shows how the line between digital intrusion and real-world crime continues to blur. Threat actors are exploiting legitimate tools and the trust of logistics platforms to steal entire truckloads of merchandise. As RMM abuse continues to rise, companies in logistics, freight, and supply chain operations should review their security posture and implement strict control over remote access software to avoid becoming the next victim.
Leave a Comment