Hackers are working with organized crime groups to target trucking and logistics companies with remote access tools to steal freight that ranges from electronics to energy drinks and then selling it online or shipping it overseas.

The bad actors running the complex operations have been active since at least June, though there is evidence that the two dozen or so campaigns began as early as January. They’re similar to other threat cluster activity Proofpoint threat researchers saw a year ago, though there isn’t enough evidence to suggest that the same threat actors were involved in both, they wrote in a report this week.

“Cargo theft is a profitable criminal enterprise, and based on Proofpoint data, cybercriminals are increasingly targeting surface transportation entities to steal real, physical goods,” the researchers wrote. “Based on the growth of this activity in email threat data between 2024 and 2025, Proofpoint assesses this threat will continue to increase.”

According to Proofpoint, the bad actors’ goal initially is to install RMM tools onto the systems of targeted companies. They use three tactics to do this, including using compromised accounts on load boards – online marketplaces where freight loads can be booked – to list fraudulent loads. When a carrier responds to the posted fake load, the hackers send them an email.

They also can inject malicious content and URLs via compromised email accounts into existing conversations or use direct email campaigns, particularly against larger organizations such as asset-based carriers, freight brokerage firms, and integrated supply chain providers.

Access Gained Through Malicious Files

The emails contain URLs that lead to an executable or MSI file that, if clicked, installs RMM software that allows the threat actors to gain full control of the compromised system, the researchers wrote, adding that “in some cases, the threat actor will create domains and landing pages that impersonate legitimate brands or generic transportation terms to further the believability of the social engineering.”

Proofpoint in the last two months has seen almost two dozen campaigns that can range in size from fewer than 10 message per campaign to more than 1,000 messages. More than 76% of the campaigns seen since August used SimpleHelp or N-able RMM tools, though other software used included ScreenConnect, PDQ Connect, Fleetdeck, and LogMeIn Resolve.

From there, the attackers use the compromised carrier accounts to bid on real freight shipments, and then steal and sell the loads.

Multiple RMM Tools Used

“These RMMs [and remote access services, or RAS] are often used in tandem,” they wrote. “For example, PDQ Connect has been observed downloading and installing both ScreenConnect and SimpleHelp. Once initial access is established, the threat actor conducts system and network reconnaissance and deploys credential harvesting tools such as WebBrowserPassView. This activity indicates a broader effort to compromise accounts and deepen access within targeted environments.”

In the earlier campaign that ran from 2024 to March, the researchers saw a threat actor targeting ground transportation companies by distributing such tools as DanaBot, NetSupport, Lumma Stealer, and StealC.

Union of Cyber, Organized Crime

Cargo theft has been a problem for decades, leading to about $34 billion in losses every year, and grew 27% in 2024, according to the National Insurance Crime Bureau, with the United States joining other countries, including Brazil, Mexico, India, Germany, Chile, and South Africa, among the hotspots. Over the years, organized crime has been at the heart of the crime, but now cybercriminals are getting into it.

According to IMC Logistics, “the digitization of domestic and international supply chains has created new vulnerabilities and thus opportunities for OTGs [organized theft groups] to exploit gaps using sophisticated and ever-evolving cyber capabilities. These groups can steal freight remotely by exploiting the technology that has been embedded into supply chains to move cargo more efficiently.”

“Organized crime has evolved alongside digital transformation,” Keeper Security CISO Shane Barney said. “Criminal groups are now using legitimate remote access tools and trusted business systems to infiltrate logistics networks and move real cargo for profit. This is no longer just about stealing data. Attackers are also exploiting access to manipulate physical operations and inflict direct financial loss. The real risk sits in the connections between systems, partners and vendors that keep modern supply chains running.”

The Proofpoint researchers wrote that “public discussion and reporting on cyber-enabled cargo theft suggests the problem is widespread, impacting organizations nationwide, and only increasing in scope and spread.”