Cybercriminals Exploit Transportation Networks to Hijack Shipments

Cybersecurity researchers from Proofpoint have uncovered a sophisticated campaign targeting the surface transportation and logistics sector, in which threat actors hack into carrier systems to deploy remote access tools (RMMs) and divert physical shipments for profit. The activity illustrates how cyber intrusions can now directly translate into real-world theft, bridging the gap between digital compromise and tangible criminal gain.

Attack Chain: From Fake Loads to Full System Takeover

The intrusion sequence begins when hackers compromise legitimate broker load board accounts — online marketplaces where trucking loads are booked. Using these hijacked accounts, attackers post fraudulent load offers designed to lure carriers into engagement.

When a carrier inquires about one of these fake loads, the attackers respond with emails containing malicious links, which install legitimate-looking remote monitoring and management (RMM) software. These tools — including Fleetdeck, LogMeIn Resolve, N-able, PDQ Connect, ScreenConnect, and SimpleHelp — provide the attackers with persistent, stealthy access to the victim’s network.

In some cases, the adversaries also inject malicious URLs into active email threads via compromised accounts, or conduct phishing campaigns targeting carriers, freight brokers, and integrated logistics providers.

Establishing Control and Hijacking Shipments

Once inside a system, the attackers perform network reconnaissance and deploy tools like WebBrowserPassView to harvest credentials. This access allows them to assume control of dispatch and scheduling systems, enabling them to:

• Book loads in the victim’s name

• Redirect valuable cargo

• Coordinate fake deliveries to their own operatives

Proofpoint’s investigation revealed that the primary objective is physical cargo theft, not digital extortion. The stolen shipments — which can include consumer goods, electronics, and beverages — are often resold online or smuggled overseas through organized criminal networks.

Broader Context and Impact

Cargo theft costs businesses over $30 billion annually worldwide. Proofpoint’s researchers assess with high confidence that these operations are being conducted in collaboration with organized crime groups, leveraging cyber intrusion as a modern extension of traditional theft.

The campaign’s infrastructure has been active since at least January 2025, demonstrating deep insider knowledge of logistics workflows, software, and policies within the global supply chain ecosystem.

A related wave of attacks observed between 2024 and March 2025 used information-stealing malware such as DanaBot, Lumma Stealer, NetSupport, and StealC to gain remote control and exfiltrate data — a tactic consistent with the current RMM-driven hijacking operations.

Lessons for the Industry

This campaign underscores the growing convergence between cybercrime and physical supply chain disruption. To mitigate these risks, transportation and logistics firms should:

• Verify all load board postings through secondary authentication.

• Disable or restrict RMM tools in production environments.

• Monitor for anomalous login or scheduling activity.

• Train staff to identify phishing attempts and impersonation tactics.

By combining digital hygiene with logistical vigilance, organizations can better defend against a new breed of cyber-enabled cargo theft.