Executive Summary

A new wave of cyberattacks is targeting the global logistics and freight sector, with threat actors weaponizing legitimate Remote Monitoring and Management (RMM) tools to hijack cargo freight operations. These attacks, first observed in mid-2025 and tracked by leading cybersecurity vendors such as Proofpoint and reported by TheHackerNews and BleepingComputer, exploit both unpatched vulnerabilities and the trusted status of RMM software to gain persistent, covert access to freight management systems. Attackers use a blend of phishing, credential theft, and lateral movement to manipulate cargo bookings, disrupt dispatch operations, and ultimately facilitate the theft and illicit resale of high-value shipments. The campaign demonstrates a sophisticated convergence of cyber and physical crime, with significant financial and operational impacts for logistics providers worldwide.

Threat Actor Profile

The adversaries behind these campaigns are highly organized cybercriminal groups, often collaborating with traditional organized crime syndicates. Their operations are opportunistic and financially motivated, focusing on sectors where digital compromise can yield direct physical rewards. The attackers display advanced knowledge of logistics workflows and exploit the trust placed in RMM tools such as ScreenConnect (ConnectWise Control), SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. While no single Advanced Persistent Threat (APT) group has been definitively attributed, the tactics, techniques, and procedures (TTPs) observed are reminiscent of those used by groups leveraging commodity malware like Lumma Stealer, StealC, and NetSupport RAT. The campaign is global in scope, with primary targeting in North America but confirmed activity in Brazil, Mexico, India, Germany, Chile, and South Africa.

Technical Analysis of Malware/TTPs

The attack chain typically begins with spear-phishing emails or hijacked email threads targeting asset-based carriers, freight brokers, and supply chain providers. These emails often contain malicious URLs or attachments, such as MSI installers or executables, which, when executed, install legitimate RMM software. The most commonly abused tools in this campaign are ScreenConnect (ConnectWise Control), SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. In some cases, attackers chain multiple RMM tools together, for example, using PDQ Connect to deploy ScreenConnect and SimpleHelp for layered persistence.

Once an RMM foothold is established, attackers conduct system and network reconnaissance, deploy credential harvesting utilities like WebBrowserPassView, and use harvested credentials to move laterally within the network. Persistence is maintained through valid accounts and remote services, allowing attackers to blend in with legitimate IT activity. The attackers manipulate freight management systems by deleting legitimate bookings, blocking dispatcher notifications, and adding their own devices to dispatcher phone extensions. This enables them to book loads under compromised carrier identities and orchestrate the physical theft of cargo, which is then resold or shipped overseas.

Several critical vulnerabilities have been exploited in this campaign, notably in SimpleHelp (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728; all versions before 5.5.8, 5.4.10, and 5.3.9) and ScreenConnect (ConnectWise Control) (CVE-2024-1708, CVE-2024-1709; all versions before 23.9.8). However, attackers also abuse fully patched, up-to-date versions of RMM tools, underscoring the risk of unauthorized installations and the need for strict endpoint monitoring.

The TTPs align with several MITRE ATT&CK techniques, including Initial Access via Phishing (T1566.001) and Valid Accounts (T1078), Execution through User Execution (T1204) and Command and Scripting Interpreter (T1059), Persistence via Valid Accounts (T1078) and Remote Services (T1021), Credential Access through Credential Dumping (T1003) and Input Capture (T1056), Lateral Movement via Remote Services (T1021), and Impact through Data Manipulation (T1565) and Inhibit System Recovery (T1490).

Exploitation in the Wild

Since August 2025, at least two dozen distinct campaigns have been observed targeting both small and large transportation firms. Attackers are highly opportunistic, leveraging data from previous breaches to identify and prioritize high-value loads. The campaign is ongoing, with confirmed incidents resulting in the theft of food, beverage, and electronics shipments, as well as significant supply chain disruptions and financial losses. Attackers have demonstrated the ability to rapidly adapt their techniques, using new phishing lures, rotating RMM tool payloads, and exploiting both technical and procedural weaknesses in freight operations.

Notably, the attackers have exploited vulnerabilities in SimpleHelp and ScreenConnect (ConnectWise Control), but have also succeeded in environments where only legitimate, up-to-date RMM tools were present. This highlights the dual threat posed by both unpatched software and the abuse of trusted IT tools. The campaign has not been attributed to a specific APT group, but the operational sophistication and blending of cyber and physical tactics suggest a high degree of coordination and criminal expertise.

Victimology and Targeting

The primary victims are organizations in the logistics, freight, transportation, and supply chain sectors, including asset-based carriers, freight brokers, and integrated supply chain providers. The attackers target both large enterprises and smaller firms, exploiting the interconnected nature of the logistics ecosystem. Geographically, the majority of incidents have been reported in North America (USA and Canada), but activity has also been confirmed in Brazil, Mexico, India, Germany, Chile, and South Africa.

Attackers often gain initial access through compromised load board accounts, posting fraudulent freight listings and luring legitimate carriers into downloading malicious payloads. Once inside the network, they focus on manipulating booking and dispatch systems to facilitate the theft of high-value cargo. The targeting is highly selective, with attackers prioritizing shipments that can be quickly resold or exported, such as food, beverages, and electronics.

Mitigation and Countermeasures

To defend against this evolving threat, organizations should immediately audit all endpoints for unauthorized installations of ScreenConnect (ConnectWise Control), SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. Any RMM tool not explicitly approved by IT should be investigated and removed. All instances of SimpleHelp should be upgraded to version 5.5.8, 5.4.10, or 5.3.9 or later, and all instances of ScreenConnect (ConnectWise Control) should be upgraded to version 23.9.8 or later.

Credential hygiene is critical: rotate credentials for load board and dispatcher accounts after any suspicious activity, and enforce strong, unique passwords with multi-factor authentication wherever possible. Monitor load board account activity for unusual postings or access from unfamiliar IP addresses. Enhance email security by flagging and quarantining messages containing MSI or executable attachments or links, especially those referencing urgent freight opportunities.

If unauthorized RMM activity is detected, immediately isolate affected systems and conduct a thorough review of booking and dispatch records for signs of manipulation. Incident response plans should be updated to include scenarios involving the abuse of legitimate IT tools, and staff should be trained to recognize phishing and social engineering tactics commonly used in these campaigns.

References

• TheHackerNews: Cybercriminals Exploit Remote Monitoring Tools to Infiltrate Logistics and Freight Networks (Nov 2025)

• Proofpoint Research: Remote Access, Real Cargo – Cybercriminals Targeting Trucking and Logistics

• BleepingComputer: Hackers use RMM tools to breach freighters and steal cargo shipments

• Horizon3.ai: Critical Vulnerabilities in SimpleHelp Remote Support Software

• NVD: CVE-2024-57726

• NVD: CVE-2024-57727

• NVD: CVE-2024-57728

• NVD: CVE-2024-1708

• NVD: CVE-2024-1709

• MITRE ATT&CK Techniques

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure the resilience of critical business operations. For more information about how Rescana can help secure your organization, we are happy to answer questions at ops@rescana.com.