Phishing Campaign Targets Freight and Logistics Orgs in the US, Europe

The freight and logistics ecosystem has become a magnet for financially motivated cyber‑crime, and the Diesel Vortex operation exemplifies this trend. Since September 2025 the group has harvested more than 1,600 unique credentials from load boards, fleet‑management portals and fuel‑card systems across the United States and Europe. By exploiting the high‑volume, low‑visibility nature of daily carrier transactions, the actors sidestep traditional enterprise security programs that focus on corporate IT assets. Their Armenian‑speaking team, linked to Russian infrastructure, operates like a call centre, coordinating credential theft, cargo impersonation and double‑brokering schemes.

The campaign relies on a sophisticated phishing kit that rotates 52 domains, many registered under typo‑squatted .com addresses and cloaked .top or .icu layers. Emails are dispatched through compromised Zoho SMTP and Zeptomail accounts, using Cyrillic homoglyphs to disguise sender names and subjects. Recipients are directed to a full‑screen iframe that mirrors the legitimate platform, then guided through a nine‑stage cloaking process controlled via Telegram bots. At each stage the operators can request additional authentication factors, inject credential‑harvesting scripts, or abort the session, giving them granular control over the theft workflow.

The exposure of Diesel Vortex prompted a coordinated takedown involving GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike and Microsoft’s threat center, effectively disrupting the phishing infrastructure. However, the incident underscores the systemic risk posed by credential‑rich platforms that lack multi‑factor enforcement and continuous monitoring. Logistics firms must adopt zero‑trust principles, enforce strong authentication, and monitor for anomalous access patterns across load‑board and carrier‑management systems. Threat intelligence sharing, such as the collaboration between Have I Been Squatted and Ctrl‑Alt‑Intel, remains essential for early detection and rapid response to similar supply‑chain attacks.