Prolific Threat Actor Focused on Using Malware to Facilitate Cargo Theft
By Mathew J. Schwartz
April 16, 2026
In the modern landscape of cybercrime, traditional methods of armed robbery are being supplanted by more sophisticated, digital tactics. Recent investigations reveal that cybercriminals are targeting transportation and logistics firms with increasing frequency, opting to exploit vulnerabilities in digital systems rather than relying on brute force. A recent report from cybersecurity firm Proofpoint highlights this shift, focusing on a prolific threat actor that has adopted stealthy malware techniques to facilitate cargo theft.
According to Proofpoint, many of the cyberattacks directed at logistics firms aim to deceive victims into unwittingly installing malware. This malware often includes remote management and monitoring tools (RMM), which grant the attackers remote access to the victim’s system. By obtaining credentials, cybercriminals can divert freight and execute cargo theft more efficiently. Proofpoint’s investigation sheds light on the evolving tactics employed by these threat actors, particularly how they circumvent traditional security protocols.
The firm’s researchers made significant discoveries while monitoring the behavior of a well-known threat actor. This group has recently implemented a cunning new tactic to infiltrate victims’ systems using RMM software. Their observations are rooted in research that first shed light on this tactic back in November 2025. The hackers’ modus operandi involves gaining illicit access to logistics operations, allowing them to bid on legitimate shipments, intercept cargo, and often resell stolen goods, frequently with the assistance of organized crime networks.
Remarkably, the findings emerged from a recent sample of malware that researchers detonated within a deception platform. This platform, powered by software from Deception Pro, simulates a realistic Active Directory environment. The threat actor, under the misapprehension that they were engaging a legitimate target, inadvertently allowed researchers to track their malicious tactics over a month-long period. During this time, the attacker persistently returned to the decoy system to trial various strategies, showcasing a high level of persistence and adaptability.
Among the revelations, researchers determined that the threat actor appeared to operate as a small collaborative unit, deploying a staggering 13 distinct PowerShell scripts. These scripts were designed to perform a range of malicious activities, including enumerating local accounts, extracting browsing histories, and exfiltrating valuable data to attacker-controlled bots operating on Telegram. Notably, the attackers demonstrated a keen interest in credentials associated with banking, payments, logistics, fleet services, and even accounting platforms—underscoring the financial motivations driving their activities.
The most alarming aspect of this cybercriminal campaign is the attacker’s method of manually executing their scripts rather than relying on automated processes after infecting a target endpoint. This hands-on approach highlights their expertise within the transportation sector, where they strategically search for valuable data rather than attempting to immediately steal logistics platform credentials. Their initial foray into the simulated environment involved probing for PayPal account information and bank details, indicating an opportunistic nature that is emblematic of modern cybercriminal behavior.
Proofpoint’s research traces the onset of this campaign back to February 27, when phishing emails containing a malicious Visual Basic Script (VBS) were disseminated to various firms within the logistics sector. If executed, this VBS would download a second-stage PowerShell payload and present a decoy broker-carrier agreement to mask its true intentions. The follow-up PowerShell script would build a download link for a Windows installer file associated with ScreenConnect, further highlighting the sophisticated nature of these cyberattacks.
Intriguingly, the report details how the threat actor utilized a code-signing service to evade detection. By leveraging this service, they were able to re-sign the ScreenConnect installers with fraudulent certificates. Typically, operating systems are programmed to flag software that employs invalid digital certificates; however, because the downloads were script-driven rather than user-initiated, many installations went unnoticed. This tactic allowed them to navigate the digital defenses that often catch automated malicious installations.
Throughout late 2024 and early 2025, ScreenConnect emerged as the favored remote administration tool among cybercriminals. This popularity led to a revocation of a signing certificate issued to ConnectWise, the developers of ScreenConnect, for violating trust standards. In response, ConnectWise undertook significant architecture changes and mandated that customers employing on-premises versions of the software sign their client installations. Consequently, any direct attempts by criminals to install unauthorized copies of ScreenConnect now face heightened scrutiny from security software.
Proofpoint’s analysis underscores the tenacity and innovation of this financially-driven threat actor. They have been active on a near-daily basis, showcasing a methodology that sets them apart from others who might operate on a less frequent schedule. Multiple threat groups are known to target logistics firms across North America and Europe, leading to an astounding estimated global loss of around $35 billion annually due to cargo theft.
While other groups appear scattered, the operations of this particular threat actor suggest an ongoing commitment to refining and executing effective cybercrime strategies. Security researchers are diligently tracking numerous threat groups targeting the logistics sector, primarily focusing on deploying RMM tools or employing phishing techniques to acquire valid login credentials. This evolving landscape of cybercrime reflects a growing need for enhanced cybersecurity measures to combat the imminent threat of organized cybercriminal enterprises aiming at valuable cargo shipments.