Overview
- Proofpoint says with high confidence that cyber operators are working with organized crime groups to bid on, reroute, and resell stolen loads.
- Campaigns leverage compromised load boards, hijacked email threads, and targeted emails that link to .exe or .msi installers to achieve initial access.
- Observed payloads install legitimate RMM and remote-access tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N‑able, and LogMeIn Resolve, sometimes in tandem.
- Activity has been ongoing since at least June 2025 with evidence back to January, with nearly two dozen recent campaigns primarily hitting North American freight firms.
- In one documented case, attackers deleted booking emails, blocked dispatcher notifications, added their device to a phone extension, and impersonated a carrier to obtain loads.