Executive Summary

Cybercriminals are increasingly exploiting legitimate Remote Monitoring and Management (RMM) tools to infiltrate logistics and freight networks, resulting in a surge of sophisticated attacks targeting the global supply chain. Since mid-2025, threat actors have orchestrated highly organized campaigns, often in collaboration with traditional organized crime groups, to gain unauthorized access to trucking carriers, freight brokers, and logistics companies. By abusing trusted RMM platforms such as ScreenConnect (ConnectWise), SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve, attackers are able to bypass conventional security controls, manipulate shipment bookings, reroute valuable cargo, and facilitate large-scale theft. The financial and operational impact of these attacks is severe, with organizations reporting significant losses and widespread supply chain disruptions. This advisory provides a comprehensive technical analysis of the attack vectors, threat actor profiles, exploitation tactics, and actionable mitigation strategies to help organizations defend against this rapidly evolving threat.

Threat Actor Profile

The primary threat actors behind these campaigns are financially motivated cybercriminal groups with demonstrated expertise in both cyber and physical logistics crime. These groups often operate in tandem with traditional organized crime syndicates, leveraging their knowledge of the freight industry to maximize the impact of their operations. Notable clusters include TA583 (specializing in ScreenConnect campaigns), TA2725 (active in Mexico), and other regionally focused actors such as ZPHP and UAC-0050 (associated with NetSupport abuse), as well as a French-speaking cluster utilizing Bluetrait and Fleetdeck. While no specific nation-state Advanced Persistent Threat (APT) attribution has been made, the campaigns exhibit a high degree of organization, operational security, and adaptability. The attackers demonstrate a deep understanding of logistics workflows, often targeting load boards, dispatch systems, and communication channels to maximize disruption and facilitate physical cargo theft.

Technical Analysis of Malware/TTPs

The attack chain typically begins with the compromise of broker load board accounts, which are online marketplaces used for booking truck loads. Attackers employ advanced social engineering tactics, including phishing emails and hijacked email threads, to deliver malicious URLs to logistics staff. These URLs lead to the download of RMM installers, most commonly in .exe or .msi format. The abused RMM tools—ScreenConnect (ConnectWise), SimpleHelp, PDQ Connect, Fleetdeck, N-able, LogMeIn Resolve, and occasionally NetSupport Manager, Bluetrait, TeamViewer, Atera, and UltraVNC—are installed under the guise of legitimate business operations.

Once installed, these tools provide attackers with persistent, stealthy remote access to victim systems. Post-exploitation activities include system and network reconnaissance, deployment of credential stealers such as WebBrowserPassView, and lateral movement within the network. Attackers manipulate dispatch systems by deleting legitimate bookings, blocking dispatcher notifications, and adding attacker-controlled devices to phone extensions. This enables them to bid on and reroute high-value shipments, often resulting in the physical theft of cargo. In some cases, multiple RMM tools are installed in tandem to ensure redundancy and maintain access even if one tool is detected and removed.

The attackers utilize a range of command and control (C2) infrastructure, including domains such as carrier-packets[.]net, confirmation-rate[.]com, rateconfirm[.]net, and fleetcarrier[.]net, as well as dynamic DNS services and dedicated C2 IP addresses. Malicious file hashes associated with these campaigns include 70983c62244c235d766cc9ac1641e3fb631744bc68307734631af8d766f25acf (LogMeIn), 4e6f65d47a4d7a7a03125322e3cddeeb3165dd872daf55cd078ee2204336789c (N-able), and cf0cee4a57aaf725341d760883d5dfb71bb83d1b3a283b54161403099b8676ec (ScreenConnect).

The tactics, techniques, and procedures (TTPs) observed align with the following MITRE ATT&CK techniques: Phishing (T1566), Valid Accounts (T1078), User Execution (T1204), Signed Binary Proxy Execution (T1218), Remote Access Software (T1219), Credential Dumping (T1003), Input Capture (T1056), Application Layer Protocol (T1071), Web Service (T1102), Data Manipulation (T1565), and Inhibit System Recovery (T1490).

Exploitation in the Wild

Since August 2025, security researchers such as Proofpoint have documented nearly two dozen distinct campaigns targeting logistics and freight organizations, with individual attack volumes ranging from fewer than ten to over one thousand messages per campaign. Real-world incidents reported on platforms like Reddit and industry forums confirm that attackers are successfully deleting legitimate bookings, blocking dispatcher notifications, and rerouting cargo to attacker-controlled destinations. In one notable case, a Reddit user described how attackers used a nextgen.Carrierbrokeragreement link (hxxp://nextgen1[.]net/carrier.broker.agreement[.]html) to deliver ScreenConnect, subsequently manipulating dispatch systems and facilitating cargo theft.

The campaigns are global in scope, with primary targets in North America (especially the United States), but with significant activity also observed in Brazil, Mexico, India, Germany, Chile, and South Africa. Commodities targeted include food and beverage, electronics, energy drinks, and other high-value goods. Attackers often delete evidence and block legitimate notifications to cover their tracks, making incident response and recovery particularly challenging.

Victimology and Targeting

The primary victims are organizations operating in the trucking, freight, logistics, and broader supply chain sectors. Both small businesses and large enterprises are at risk, with attackers showing no preference for company size. The attack methodology is opportunistic, exploiting the widespread use of RMM tools and the inherent trust placed in these platforms by IT and operations staff. Attackers specifically target individuals involved in dispatch, load board management, and shipment negotiations, leveraging their access to critical systems to maximize the impact of the intrusion.

Geographically, the campaigns are most prevalent in the United States, but significant incidents have been reported in Latin America, Europe, and Asia. The attackers demonstrate a nuanced understanding of regional logistics practices, adapting their social engineering lures and payload delivery methods to local languages and business processes. High-value shipments, particularly those involving electronics, food and beverage, and energy drinks, are disproportionately targeted due to their resale value and ease of liquidation.

Mitigation and Countermeasures

To defend against these sophisticated RMM abuse campaigns, organizations should implement a multi-layered security strategy. Restrict the installation and use of RMM tools to only those explicitly approved by IT administrators, and maintain an up-to-date inventory of all remote access software deployed within the environment. Deploy advanced network and endpoint detection solutions capable of identifying RMM-related activity, leveraging the provided IDS/IPS signatures such as 2837962 (ScreenConnect connection attempt), 2050021 (DNS query to known ScreenConnect/ConnectWise domain), 2054938 (PDQ Remote Management agent check-in), 2065069 (DNS lookup for n-able.com), 2049863 (SimpleHelp remote access activity), 2047669 (Fleetdeck domain activity), and 2061989 (DNS query to gotoresolve.com).

Block the download and execution of executable and MSI files from external email sources, and monitor for suspicious domain access and DNS queries to known malicious infrastructure, including the extensive list of payload staging and C2 domains outlined above. Conduct regular security awareness training for staff in logistics and dispatch roles, emphasizing the specific social engineering tactics used in these campaigns, such as fraudulent load postings and phishing emails related to shipment negotiations.

Establish robust incident response procedures to rapidly detect, contain, and remediate RMM-based intrusions. This includes isolating affected systems, revoking compromised credentials, and conducting thorough forensic analysis to identify and eradicate all attacker footholds. Collaborate with industry peers, law enforcement, and threat intelligence providers to share indicators of compromise and stay informed about emerging threats.

References

Proofpoint: Remote access, real cargo: cybercriminals targeting trucking and logistics (Nov 2025)

The Hacker News: Cybercriminals Exploit Remote Monitoring Tools to Infiltrate Logistics and Freight Networks

Security Affairs: Crooks exploit RMM software to hijack trucking firms and steal cargo

Cybersecurity Dive: Cybercrime groups team with organized crime in massive cargo theft campaign

Reddit: Industry reports of RMM-based cargo theft

MITRE ATT&CK: T1566: Phishing, T1078: Valid Accounts, T1219: Remote Access Software, T1003: Credential Dumping

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure the resilience of critical business operations. For more information about how Rescana can help safeguard your organization, we are happy to answer questions at ops@rescana.com.