In a new wave of cyber-enabled heists, criminal networks are exploiting legitimate remote monitoring software to breach trucking and logistics companies — not to steal data, but to steal the cargo itself.
According to cybersecurity firm Proofpoint, the campaign has been active since June 2025 and involves threat actors collaborating with organized crime groups to infiltrate freight networks. Once inside, attackers exploit their access to bid on and reroute real shipments, often targeting high-demand goods such as food and beverages.
“The stolen cargo most likely is sold online or shipped overseas,” said researchers Ole Villadsen and Selena Larson in a report shared with The Hacker News. “Threat actors infiltrate companies and use their fraudulent access to bid on legitimate shipments to ultimately steal them.”
How Hackers Ride the Supply Chain
The attacks rely not on complex malware, but on manipulating trust and urgency within freight negotiations. Cybercriminals hijack compromised email accounts to post fraudulent freight listings on load boards, then send phishing emails containing malicious URLs to carriers who inquire about the shipments.
When opened, these links deploy legitimate remote monitoring and management (RMM) software such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve — tools normally used by IT teams for maintenance and troubleshooting.
Once installed, these programs grant attackers full remote control of the victim’s systems. In some cases, Proofpoint observed PDQ Connect dropping ScreenConnect and SimpleHelp together — layering access to ensure persistence.
With control secured, hackers conduct network reconnaissance, harvest credentials using tools like WebBrowserPassView, and even manipulate dispatch systems. In one case, an attacker deleted existing bookings, blocked notifications, and added their own device to a dispatcher’s phone extension — enabling them to book shipments under a compromised carrier’s name and orchestrate real-world thefts.
Blurring the Line Between Legitimate and Malicious
Since August 2025, Proofpoint has tracked over two dozen campaigns targeting transportation and freight entities of all sizes — from small family-owned firms to multinational logistics providers.
The strategy offers multiple advantages for cybercriminals: by leveraging legitimate RMM tools, they avoid developing custom malware, and because these applications are digitally signed and trusted, they often evade antivirus detection.
“It’s fairly easy for threat actors to create and distribute attacker-owned remote monitoring tools,” Proofpoint noted in an earlier analysis. “Since they are legitimate software, end users might be less suspicious of installing them compared to typical malware.”
This dual use — where trusted enterprise tools become instruments of theft — reflects a growing challenge for cybersecurity teams: detecting malicious intent behind software designed for help, not harm.
A New Kind of Supply Chain Attack
These cyber-enabled freight heists mark a hybrid evolution in organized crime, where the digital and physical converge. Instead of holding networks ransom or stealing data for resale, attackers are now using access to commandeer tangible goods, from perishable items to consumer electronics.
Experts say such incidents underscore the urgent need for cross-sector security collaboration — linking cybersecurity teams, logistics firms, and law enforcement to identify and mitigate threats that bridge cyberspace and supply chains.
As one investigator put it, the frontier of cybercrime has moved “from ransomware to real roads.”
