Full Report
Losses from cargo theft in North America rose to $6.6 billion in 2025, driven largely by digital attacks, according to the fleet management company Geotab.
Analysis Summary
# Threat Actor: Unnamed Cargo Theft Group (Tracked by Proofpoint)
## Attribution & Identity
- **Actor Identification:** An unnamed but highly prolific cybercrime group specializing in cargo theft.
- **Aliases:** None specifically mentioned, but the actor is one of approximately a dozen groups tracked by Proofpoint targeting the logistics sector.
- **Known Associations:** Linked to broader organized crime networks; previously associated with phishing operations originating or targeting regions including Russia and Armenia.
## Activity Summary
The group is currently engaged in sophisticated post-compromise operations targeting the trucking and logistics industry in North America and Europe. They primarily compromise "load boards" (freight marketplaces) to distribute malware. Recent investigations using decoy environments revealed they are transitioning from simple cargo theft to broader financial exploitation, including cryptocurrency and accounting fraud.
## Tactics, Techniques & Procedures
- **Initial Access:** Compromising load board platforms to deliver malicious email payloads to transportation carriers.
- **Persistence:** Installation of multiple redundant Remote Access Tools (RATs) to ensure continued access if one instance is detected.
- **Evasion & Defense Evasion:**
- Usage of "Signing-as-a-Service": A script that queries an external certificate signing service to provide valid, trusted digital signatures for malicious components.
- Automated re-signing of MSI installers and component files to bypass security software (specifically targeting ScreenConnect security updates).
- **Discovery & Internal Scouting:**
- Automated PowerShell scripts to scan infected workstations for financial login portals.
- Manual checks for credentials and sensitive data.
- **MITRE ATT&CK IDs (Inferred):**
- T1566.001 (Phishing: Spearphishing Attachment)
- T1219 (Remote Access Software)
- T1553.002 (Subvert Trust Controls: Code Signing)
- T1059.001 (PowerShell)
- T1083 (File and Directory Discovery)
## Targeting
- **Sectors:** Trucking, logistics, shipping, freight brokerage, and fuel card providers.
- **Geography:** North America (primary emphasis on the $6.6 billion loss landscape) and Europe.
- **Victims:** Commercial transportation carriers, specifically small enterprises with fewer than 10 trucks, and freight brokers.
## Tools & Infrastructure
- **Malware families:** Various malicious payloads (unnamed MSI installers).
- **Remote Access Tools:** At least four separate instances of **ConnectWise ScreenConnect** used simultaneously.
- **Infrastructure:**
- External "Signing-as-a-Service" platforms for code signing.
- Decoy "load board" marketplaces.
## Implications
This actor represents a professionalization of cargo theft, moving beyond physical logistics hijacking into sophisticated financial cybercrime. Their ability to adapt to vendor security patches (like ScreenConnect’s certificate revocations) via automated signing services suggests a high level of technical resourcefulness. The strategic targeting of small carriers—who lack robust SOC capabilities—provides a scalable "bottleneck" entry point for hackers to disrupt entire supply chains.
## Mitigations
- **Identity Security:** Implement multi-factor authentication (MFA) on all freight brokerage and load board accounts.
- **RMM Sanitization:** Regularly audit and whitelist Remote Monitoring and Management (RMM) tools like ScreenConnect; block unauthorized instances of such software at the endpoint level.
- **Code Signing Integrity:** Implement Windows Defender Application Control (WDAC) to restrict the execution of signed code to specific, trusted internal certificates rather than any valid certificate.
- **Segmented Financial Operations:** Use dedicated, isolated hardware for financial transactions (PayPal, online banking, fuel cards) separate from the workstations used for load board browsing.