Cybercriminals are compromising trucking and logistics companies to steal physical cargo shipments worth billions. A threat cluster identified by Proofpoint has been active since June 2025 working with organized crime groups to hijack freight loads through elaborate digital attack chains that end in real-world theft.
The attackers exploit load board platforms, digital marketplaces where carriers bid on shipping jobs, to deliver remote monitoring and management tools that give them persistent access to trucking company systems. Once inside, they delete legitimate bookings, block dispatcher notifications and coordinate the transport of stolen goods under the compromised carrier’s identity.
Cargo theft losses in North America reached $6.6 billion in 2025, according to fleet management company Geotab, driven largely by these cyber-enabled operations. The figure represents a substantial increase from previous years and signals a fundamental shift in how organised theft groups operate.
Signed RMM Tools Flying Under the Radar
The attack begins with a compromised broker load board account used to post fake shipping jobs. When carriers respond, they receive emails containing malicious links that deliver legitimate but weaponised RMM tools including ScreenConnect, SimpleHelp, Pulseway, PDQ Connect and LogMeIn Resolve.
Proofpoint researchers observed nearly two dozen campaigns since August 2025 with message volumes ranging from fewer than 10 to over 1,000 per campaign. The criminals are opportunistic, targeting carriers of all sizes from small family businesses to large freight firms.
The use of RMM tools is deliberate. “Threat actors can create and distribute attacker-owned remote monitoring tools and because they are often used as legitimate pieces of software, end users might be less suspicious,” Proofpoint noted in its November 2025 report. Many of the deployed tools use valid digital signatures allowing them to bypass security warnings and evade antivirus detection.
Once installed, the attackers deploy multiple RMM instances to ensure persistence even if one tool is detected. They then run PowerShell scripts to profile victims, collecting browser history and scanning for access to banking, logistics and accounting platforms.
Organised Crime Coordination at Scale
Proofpoint assesses with high confidence that the threat cluster is working alongside organised crime groups. The assessment rests on the sophisticated understanding of logistics workflows the attackers demonstrate and their ability to coordinate real-world cargo pickup and disposal.
“It has this sort of ripple effect across the entire ecosystem from the ships that deliver them to the ports, that get picked up by the truckers, that get sent to businesses and then ultimately onto consumers,” said Selena Larson, Proofpoint senior threat intelligence analyst.
The attackers focus primarily on high-value consumables including food products, beverages and electronics that can be quickly sold online or shipped overseas before companies notice the theft. They demonstrate detailed knowledge of load board operations, dispatch systems, and freight documentation requirements that suggests inside knowledge or extensive prior compromise of industry systems.
The scale suggests systematic exploitation rather than opportunistic crime. The threat cluster has maintained consistent operations for at least six months with evidence pointing to activity beginning as early as January 2025.
Block Unauthorised RMM Tools Now
Trucking companies should restrict installation of RMM tools to those explicitly approved by IT administrators. Any attempt to download or install unauthorised remote access software should be blocked or flagged for immediate review.
Network monitoring for unusual RMM connections can catch attacks in progress, particularly sessions initiated at odd hours or from rarely used tools. Security teams should implement detection rules for RMM server communication and review the Emerging Threats ruleset for cargo theft indicators.
The National Motor Freight Traffic Association has published a Cargo Crime Reduction Framework that addresses both cyber and physical security measures. Given the cross-domain nature of these attacks, digital intrusion leading to physical theft, traditional cybersecurity controls need to be paired with enhanced verification procedures for load booking and dispatch operations.
Proofpoint warns that the lucrative nature of cargo theft means this threat will likely escalate. The $6.6 billion in annual losses provides substantial motivation for continued investment in these attack methods and the relatively low barriers to entry in the logistics sector make it an attractive target for organized crime groups seeking digital enablers for traditional theft operations.
References
- Remote access, real cargo: cybercriminals targeting trucking and logistics
- Beyond the breach: inside a cargo theft actor’s post-compromise playbook
- Cargo thieving hackers running sophisticated remote access campaigns
- Cybercriminals Exploit RMM Tools to Infiltrate Shipping and Logistics Networks
- Cybercriminals exploit RMM tools to steal real-world cargo
This post is also available in:
Svenska
Related News
North Korean Hackers Hijacked Axios Package for 100 Million Users
North Korean state hackers compromised the Axios npm package on 31 March 2026, inserting a cross-platform remote access trojan into one of JavaScript's most widely…
April 22, 2026 
CISA Updates Akira Advisory as Ransomware Earns $244 Million
CISA issued an updated joint advisory on Akira ransomware on 13 November, warning that the group has claimed $244 million in ransom payments since March…
April 3, 2026 
