Cargo Thieving Hackers Running Sophisticated Remote Access Campaigns, Researchers Find

The logistics industry, long plagued by physical cargo theft, is now confronting a digital escalation that blends ransomware‑style intrusion with traditional freight pilfering. According to fleet‑management data, North American cargo losses hit $6.6 billion in 2025, a surge driven largely by cyber‑enabled schemes. Load‑board platforms—online marketplaces where shippers and brokers match freight—have become the low‑hanging fruit for attackers because they provide a single point of entry to dozens of carriers, many of which operate with fewer than ten trucks and lack dedicated IT defenses.

Proofpoint's controlled decoy environment uncovered a layered remote‑access strategy that goes beyond simple credential theft. By installing multiple ScreenConnect instances and employing a novel "signing‑as‑a‑service" mechanism, the hackers ensured their payloads appeared legitimate to Windows, sidestepping recent certificate revocations by the vendor. This adaptive approach signals a broader arms race: as security vendors tighten controls, threat actors develop outsourced signing services to maintain persistence, raising the bar for detection and response across the RMM ecosystem.

Beyond cargo diversion, the intruders systematically harvested financial data—cryptocurrency wallets, PayPal logins, fuel‑card numbers, and access to accounting platforms—turning compromised workstations into multi‑vector revenue streams. The prevalence of over a dozen distinct groups targeting the sector underscores the systemic risk. Companies can mitigate exposure by hardening load‑board authentication, segmenting network access, and deploying endpoint detection that flags unsigned or anomalously signed executables. Proactive cyber hygiene, combined with industry‑wide information sharing, is essential to protect the supply chain from this hybrid theft model.