This threat cluster has been active since at least June 2025 and is partnering with organized crime groups to infiltrate entities within the surface transportation industry. The ultimate objective of these malicious campaigns is the plundering of physical goods. These stolen commodities are likely then sold online or shipped overseas, completing the theft-for-profit cycle. The criminals specifically seek to use their fraudulent access to bid on and steal real shipments of goods.
These current attacks bear a resemblance to campaigns observed in September 2024, which also focused on North American transportation and logistics companies. Those earlier attacks involved deploying information stealers and Remote Access Trojans (RATs) like Lumma Stealer, StealC, or NetSupport RAT. Despite the similar industry focus, researchers have found no concrete evidence to confirm that the same specific threat actor is responsible for both sets of campaigns.
The unknown attackers in the latest intrusion wave, detected by Proofpoint, are utilizing several sophisticated methods. They are hijacking existing email conversations by compromising accounts and sending spear-phishing emails to various targets, including asset-based carriers, freight brokerage firms, and integrated supply chain providers. A key tactic involves posting fraudulent freight listings on industry load boards using hacked accounts.
This method of using load boards is particularly effective because it exploits the inherent trust and urgency of freight negotiations. The actors post these bogus listings via compromised accounts. When legitimate carriers inquire about the loads, the criminals respond with emails that contain malicious URLs, leading to infection and compromise, which facilitates the eventual cargo theft.
Reference:
