Cybercriminals Exploit RMM Tools to Infiltrate Shipping and Logistics Networks

Summary

A financially motivated threat cluster has been actively targeting the freight and logistics industry since at least June 2025 in a cyber-enabled cargo theft campaign, according to a new report from Proofpoint. The primary goal of the campaign is to gain remote access to logistics networks to steal high-value physical goods, mainly food and beverage products. The unnamed adversaries are achieving their goals by distributing legitimate Remote Monitoring and Management (RMM) software, such as ScreenConnect or SimpleHelp, via sophisticated spear-phishing and compromised load board accounts. Once network access is secured, the actors pivot from cyber intrusion to physical heist by deleting existing freight bookings, adding their own devices to dispatch systems, and coordinating the fraudulent transport of stolen cargo.

Analysis

The threat actor, who remains unnamed in the Proofpoint report, is engaged in a highly organized, multi-stage operation combining traditional cyber intrusion with collaboration from organized crime groups for physical theft and subsequent liquidation of stolen cargo. The campaign, assessed as both opportunistic and indiscriminate, targets entities ranging from small, family-owned carriers to large supply chain providers in North America.

The campaign is primarily comprised of three stages:

Initial Access and Compromise: The actor employs multiple vectors, including hijacking existing email conversations (thread hijacking), targeted spear-phishing against asset-based carriers and freight brokers, and exploiting the trust inherent in freight negotiations by posting fraudulent listings on load boards using compromised accounts. Carriers who inquire about the fraudulent listings are sent emails containing malicious URLs that deliver legitimate RMM software via booby-trapped MSI installers or executables.

Tactical Advantage of RMM: The strategic use of legitimate RMM tools, such as ScreenConnect, SimpleHelp, or PDQ Connect, is a critical differentiator. This tactic provides a significant operational advantage by eliminating the need for bespoke malware and allowing the threat actor to fly under the radar of typical security solutions, which often whitelist or ignore RMM software. Tools like PDQ Connect are sometimes used to drop and install other RMMs, demonstrating a complex distribution chain.

Post-Compromise and Physical Theft: After obtaining remote access, the actor performs system reconnaissance and deploys credential harvesting tools such as WebBrowserPassView to burrow deeper. The ultimate pivot to cargo theft involves manipulating core logistics systems: deleting legitimate bookings, blocking dispatcher notifications, and adding an attacker-controlled device to the dispatcher’s phone extension to book and coordinate the actual transport of the stolen freight. This confirms a sophisticated understanding of logistics workflows and strong coordination with real-world operators.

Indicators of Compromise

Proofpoint provided a collection of select IOCs associated with this campaign, which is available below for RH-ISAC Member ingestion: