Path & Payload

The Attack That Started as Paperwork: Breaking Down the Freight Theft Surge

The attack starts as paperwork: a inquiry to a load board (a marketplace to book loads for cargo trucks), a carrier broker agreement for a fake load, a malicious link masked by a document. Then it becomes account access. A legitimate remote management tool appears on the carrier's machine. The attacker looks for payment platforms, fuel cards, cryptocurrency wallets, and load board credentials. Only later does the crime become physical β€” a driver sent to the wrong place, freight moved through a cross-dock, cargo redirected into a resale network.

In late February 2026, Proofpoint researchers allowed a malicious payload to compromise a controlled decoy environment operated by deception technology firm Deception.pro. The environment wasn't a real carrier, but it gave researchers an unusually direct window into the attacker's post-compromise behavior. For over a month, they documented a patient, methodical operation β€” remote access tools layered for redundancy, financial reconnaissance running in parallel with logistics reconnaissance, and a signing-as-a-service capability purpose-built to evade detection controls that had disrupted earlier campaigns. The cargo theft these campaigns enabled was the simplest part.

This morning, the FBI formalized what researchers had been tracking for months. Cyber-enabled strategic cargo theft has surged, with estimated losses in the US and Canada reaching nearly $725 million in 2025, a 60% increase from 2024. The average value per theft rose 36% to $273,990. This is a supply chain security problem with a clearly mappable attack chain.

The Incident

The attack chain documented here draws on the FBI/IC3 PSA published April 30, 2026, and Proofpoint's extended post-compromise analysis from April 2026, in which researchers maintained visibility into an active intrusion for over a month. No single named victim company is identified β€” the FBI advisory does not name specific targets, and Proofpoint's decoy environment was not a real carrier. The attack chain is real but the composite framing reflects the operational reality that these campaigns are indiscriminate and have hit hundreds of carriers.

Stage-by-Stage Walkthrough

Stage 1: Initial Compromise of Broker Accounts

ATT&CK: T1566.002 (Spearphishing Link), T1078 (Valid Accounts)

The chain starts upstream from the actual carrier target. Threat actors first compromise freight broker accounts β€” the intermediaries who post loads on load board platforms. They do this through spoofed emails impersonating brokers, using shortened or lookalike URLs. A carrier agreement link, a complaint resolution link, a document review request β€” any plausible pretext gets the broker to click.

Once the broker's account is compromised, attackers have a platform with established credibility. Legitimate accounts on legitimate load boards. The fraud that follows doesn't look like fraud.

Stage 2: Fraudulent Load Postings

ATT&CK: T1078 (Valid Accounts), T1036 (Masquerading)

Using compromised broker accounts, threat actors post fake load listings β€” sometimes in the tens of thousands β€” on load boards like DAT and Truckstop. Carriers scrolling for available jobs see what looks like a normal posting: origin, destination, commodity, rate. They reach out to inquire.

That inquiry is the trigger. The moment a carrier contacts them, the attackers pivot to the next stage.

ATT&CK: T1105 (Ingress Tool Transfer), T1219 (Remote Access Software), T1553.002 (Code Signing)

The carrier who responds gets an email back with a carrier broker agreement to review and sign. The link leads to a phishing page impersonating a legitimate logistics brand, hosting a malicious executable. When run, it deploys legitimate remote monitoring and management software β€” ScreenConnect instances, Pulseway RMM and SimpleHelp β€” silently in the background.

This is the technique worth understanding in depth, because it represents a deliberate evolution. Earlier campaigns in 2024 used information-stealing malware. The shift to RMM tools is a calculated adaptation: RMM installers are often digitally signed, are recognized by enterprise environments as legitimate software, and are rarely flagged by antivirus.

Proofpoint documented a further adaptation in the February 2026 campaign β€” a signing-as-a-service capability that re-signed ScreenConnect installers with valid but fraudulent code-signing certificates, specifically designed to work around ScreenConnect's own security hardening measures that had disrupted earlier campaigns. Someone built a service to solve that problem.

Attackers also deploy multiple RMM tools in tandem β€” PDQ Connect installing both ScreenConnect and SimpleHelp simultaneously β€” creating redundant access paths that survive detection of any single tool.

Stage 4: Reconnaissance and Credential Harvesting

ATT&CK: T1087 (Account Discovery), T1555 (Credentials from Password Stores), T1217 (Browser Information Discovery)

With persistent access established, attackers conduct hands-on-keyboard reconnaissance. Proofpoint documented 13 PowerShell scripts executed during a single intrusion, collectively focused on one question: is this host financially valuable? They scanned for browser extensions, desktop cryptocurrency wallets, access to banking and accounting platforms, fuel card services, fleet payment platforms, and load board operator credentials. Three days after initial compromise, the attacker manually accessed PayPal through the victim's browser. Eight days in, they deployed a tool to scan for and exfiltrate cryptocurrency wallets to attacker-controlled Telegram bots.

The cargo theft is one revenue stream. The financial account access is another.

Stage 5: Identity Takeover and Load Manipulation

ATT&CK: T1078 (Valid Accounts), T1565 (Data Manipulation), T1531 (Account Access Removal)

Now operating inside a legitimate carrier's systems, threat actors change the carrier's contact information with the Federal Motor Carrier Safety Administration and update insurance information to permit shipment types the carrier doesn't normally accept. They then bid on real loads posing as the compromised carrier.

The legitimate carrier has no idea any of this is happening. Brokers contact them about loads they never booked. By then, the cargo is already moving.

Stage 6: Physical Theft

ATT&CK: T1657 (Financial Theft)

Loads are handed off to partially unwitting drivers β€” carriers who responded to a fake posting and believe they're running a legitimate load β€” who are directed to cross-dock or transload the freight to complicit operators. The cargo is redirected from its intended destination and moved to warehouses operated by organized crime partners for resale or overseas shipment. In some cases, threat actors reconnect with the original broker to demand ransom for the cargo location.

Where Defenders Had a Window

There are at least four points in this chain where detection was possible.

  1. The broker account compromise: Unusual login locations, new mailbox forwarding rules, and changes to posted load listings are all detectable. Behavioral monitoring on load board activity appears to be an important control gap, especially when compromised accounts can post fraudulent loads at scale.

  2. The malicious link delivery: The spoofed domains follow identifiable patterns β€” extra punctuation, lookalike TLDs, prefixes on legitimate domains. Email security controls configured to flag these patterns would catch a meaningful percentage of delivery attempts.

  3. The RMM installation: This is the most actionable window for carriers. Proofpoint's recommendation is straightforward: maintain an approved list of RMM tools and block unauthorized installations. Many small carriers β€” the majority of targets have fewer than ten trucks β€” have no such policy.

  4. The FMCSA account changes: Unauthorized changes to carrier contact information and insurance coverage with the FMCSA are detectable if carriers monitor their own FMCSA records. Most don't.

None of these windows closed cleanly, which is why the campaigns ran for months across hundreds of targets.

Technique in Focus: RMM Abuse as Initial Access

The deliberate replacement of custom malware with legitimate RMM tools is worth pausing on because it reflects how the threat landscape is maturing. Commodity malware triggers signatures. Legitimate software doesn't. By weaponizing the same tools that IT departments use to manage endpoints, including ScreenConnect, N-able, and SimpleHelp, these actors achieve persistent, interactive access to victim systems while generating no malware detections.

The signing-as-a-service development takes this further. When ScreenConnect tightened its certificate requirements to disrupt unauthorized deployments, the threat actors didn't abandon the tool β€” they built infrastructure to circumvent the control. That's an investment. It indicates actors with resources, time, and a sufficient return on investment to justify the development cost.

Signature-based detection of RMM tools is largely ineffective because the tools are legitimate. Detection needs to focus on behavioral signals β€” unexpected RMM installation, sessions initiated from unusual accounts, RMM processes running at abnormal hours, multiple RMM tools installed in the same environment.

Lab Note: RMM tools like ScreenConnect can be evaluated in a home lab from the defender’s side. Test whether your controls detect unexpected installation, unsigned or unusually signed installers, multiple RMM tools on one host, and sessions initiated from unexpected accounts or geographies.

Takeaway for Defenders

The convergence of digital access and physical theft is what makes this threat category genuinely novel. Traditional cargo theft is a physical security problem. Traditional cybercrime is a digital security problem. This is both, coordinated by actors who understand logistics workflows well enough to manipulate dispatch systems, FMCSA records, and load board accounts simultaneously while running parallel financial reconnaissance on the same compromised hosts.

For logistics organizations: MFA on every load board account, FMCSA portal, and fleet management platform. An explicit approved-RMM policy. Monitoring for unauthorized FMCSA record changes. These aren't sophisticated controls, but they're largely absent from the small carriers that represent the majority of targets.

For security practitioners watching this space: the organized crime partnership model here mirrors what we see in ransomware-as-a-service. The digital actors provide access, while the physical operators execute the theft. The specialization makes both sides harder to disrupt independently.

Sources Used

#Attack Chain Breakdowns