CYBER THREAT BULLETIN:
Cyber-Enabled Physical Theft and Cargo Hijacking Operations

Document Version: 1.1 Publication Date: November 19, 2025
🔍 See Interactive Attack Chain

📋 Table of Contents

📊 EXECUTIVE SUMMARY

Recent threat intelligence reveals the operational convergence of cybercrime and organized crime in coordinated attacks targeting freight and logistics operations. Between August and November 2025, security researchers at Proofpoint identified nearly two dozen distinct campaigns where threat actors weaponized remote monitoring and management (RMM) tools to compromise trucking carriers and freight brokers, enabling the physical hijacking of cargo shipments.

$35B
Annual Cargo Theft Losses
27%
Increase in 2024
$1B
Cyber-Enabled Losses Annually
18%
Strategic Theft Incidents (2024)

🚨 Key Threat Indicators

  • Threat actors deploy legitimate RMM tools (ScreenConnect, SimpleHelp, N-able) to evade detection
  • Attacks leverage compromised freight marketplace (load board) accounts and email thread hijacking
  • Multi-stage attack chains include credential harvesting using WebBrowserPassView
  • Campaign volumes range from fewer than 10 to over 1,000 messages per campaign
  • Average loss per incident: $356,787

This bulletin examines the tactics, techniques, and procedures (TTPs) employed in these cyber-enabled operations, provides technical indicators of compromise, and delivers actionable prevention and protection recommendations for organizations in the freight, logistics, and transportation sectors.

🔍 DETAILED THREAT ANALYSIS

Attack Chain Overview

The observed attack chains follow a multi-stage progression:

  1. Initial Compromise - Freight marketplace (load board) account takeover via credential theft
  2. Social Engineering - Fraudulent load postings and targeted phishing
  3. Payload Delivery - RMM tool installation via malicious URLs
  4. Reconnaissance - System enumeration and operational intelligence gathering
  5. Credential Harvesting - Theft of authentication credentials for operational systems
  6. Operational System Access - Compromise of transportation management systems
  7. Physical Crime Facilitation - Load hijacking, double brokering, or interception

📌 What are Load Boards?

Load boards (also called freight marketplaces) are online platforms where freight brokers post available shipments and trucking carriers bid on or claim loads to transport. Major platforms include DAT, Truckstop.com, and 123Loadboard.

Threat Actor Profile

Attribute Details
Active Since January 2025 (earliest evidence), confirmed operations June-November 2025
Attribution Multiple distinct threat clusters with overlapping TTPs
Motivation Financial gain through organized crime partnership
Sophistication High - detailed knowledge of freight industry processes
Target Profile Opportunistic - small family businesses to large carriers

Proofpoint researchers assess with high confidence that cyber threat actors are collaborating with organized crime groups to execute the physical theft component of these operations. The stolen cargo is most likely sold online or shipped overseas.

RMM Tools as Weapons

Since August 2025, the following RMM tools have been observed as first-stage payloads:

RMM Tool Percentage Notes
SimpleHelp 38.10% Signed legitimate software
N-able 38.10% Often used for IT support
ScreenConnect 14.29% ConnectWise product
LogMeIn Resolve 4.76% Remote support platform
Fleetdeck 4.76% Fleet management tool

⚠️ Why RMM Tools?

  • Legitimate signed software avoids antivirus/EDR detection
  • Commonly used by IT support teams, blends with normal operations
  • Provides same capabilities as malware (remote access, credential harvesting, screen monitoring)
  • No need for sophisticated malware development
  • Lower detection rates compared to traditional RATs

Targeted Commodities

Cargo theft operations demonstrate strategic targeting based on illicit market value:

  • Food and Beverage Products: 180 reported incidents (68% increase from Q2 2024)
    • Alcoholic beverages
    • Energy drinks
    • Meat products
  • Metals: 96% year-over-year surge to 53 incidents (copper at record highs)
  • Electronics: High-value consumer electronics and components

🛡️ PREVENTION AND MITIGATION RECOMMENDATIONS

🚨 Critical Window

Stopping attacks in stages 1-3 prevents all downstream damage.

Organizations must focus defensive efforts on initial access vectors, email security, and unauthorized software installation prevention.

Immediate Protection Actions

1. Email Security Hardening

  • Deploy email security gateway with URL rewriting and sandboxing
  • Enable DMARC, SPF, and DKIM authentication
  • Implement visual indicators for external emails
  • Configure enhanced filtering for freight-related keywords (load, pickup, delivery, BOL)
  • Block executable attachments from external sources

2. Authentication and Access Controls

  • Mandate MFA for all load board accounts (DAT, Truckstop.com, etc.)
  • Require MFA for VPN and remote access
  • Enable MFA on TMS platforms and dispatch systems
  • Implement hardware security keys for high-privilege accounts
  • Enforce unique passwords across all platforms

3. Application Controls

  • Create whitelist of approved remote access tools
  • Block installation of unauthorized RMM software
  • Require approval workflow for any remote access tool deployment
  • Conduct quarterly inventory of installed remote access capabilities

4. Monitoring and Detection

  • Deploy EDR on all endpoints including dispatch workstations
  • Configure alerts for RMM tool installations
  • Monitor for credential access and harvesting behaviors
  • Detect unusual VPN connections (time, location, duration)
  • Alert on multiple failed authentication attempts

5. Industry Security Frameworks

  • NMFTA Cybersecurity Cargo Crime Reduction Framework (June 2025) - Actionable guidance for carriers, shippers, and 3PLs
  • C-TPAT (Customs-Trade Partnership Against Terrorism) - Supply chain security program with expedited cargo processing benefits

Out-of-Band Verification Procedures

📞 Always Verify

If you receive a suspicious email, don't click—verify.

Call the sender using a phone number you find independently, never one provided in the email. Establish phone verification for new loads or unusual requests.

🎯 INDICATORS OF COMPROMISE (IOCs)

Payload Staging Domains

⚠️ Malicious Domains (Block These)

The following domains have been used to deliver RMM tool payloads. Organizations should block these at the network level:

  • carrier-packets[.]net
  • claimeprogressive[.]com
  • confirmation-rate[.]com
  • wjwrateconfirmation[.]com
  • rateconfirm[.]net
  • ilove-pdf[.]net
  • vehicle-release[.]com
  • carrierpack[.]net
  • car-hauling[.]com
  • fleetcarrier[.]net
  • scarrierpack[.]com
  • carrieragreements[.]com
  • brokeragepacket[.]com
  • brokerpackets[.]com
  • centraldispach[.]net (note: missing 't' in dispatch)
  • carriersetup[.]net
  • brokercarriersetup[.]com
  • billpay-info[.]com
  • nextgen223[.]com
  • fleetgo0[.]com
  • nextgen1[.]net
  • ratecnf[.]com
  • ratecnf[.]net

Behavioral Indicators

Email-Based Indicators:

  • Unexpected emails containing load documentation from unknown senders
  • Emails with URLs to file sharing services related to loads
  • Thread hijacking where legitimate conversation suddenly includes unexpected links
  • Emails referencing loads not in current systems
  • Rate confirmations with .exe or .msi file attachments

System-Based Indicators:

  • Unauthorized installation of remote access tools
  • New RMM software appearing on dispatch or TMS workstations
  • Unusual VPN connections outside normal business hours
  • Multiple concurrent VPN sessions from single user account
  • Bulk extraction of shipment data or customer lists
  • Changes to load assignments or routing not initiated by dispatchers

Operational Indicators:

  • Carriers showing up for loads they didn't officially book
  • Discrepancies between load board assignments and internal dispatch records
  • Shipments not arriving at scheduled destinations
  • Customer complaints about undelivered freight
  • Double-brokered loads discovered through carrier verification

🔬 DETECTION ANALYTICS

Organizations should implement the following detection rules in SIEM platforms or log management systems. Click on each category to view detailed Sigma rules for implementation.

✉️

Email-Based Detection Rules

Critical

Rule 1: Suspicious Load Documentation Links in Email

Detects emails containing freight/load-related keywords with links to external file sharing services

title: Suspicious Load Documentation with External File Sharing Links
id: a1f2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects emails containing freight/load-related keywords with links to external file sharing services
tags:
    - attack.initial_access
    - attack.t1566.002
logsource:
    product: email_gateway
    service: mail
detection:
    selection_keywords:
        subject|contains:
            - 'load'
            - 'pickup'
            - 'delivery'
            - 'BOL'
            - 'bill of lading'
            - 'rate confirmation'
            - 'setup packet'
            - 'freight'
            - 'carrier packet'
    selection_urls:
        body|contains:
            - 'dropbox.com'
            - 'wetransfer.com'
            - 'drive.google.com'
            - 'onedrive.live.com'
            - 'box.com'
            - 'mega.nz'
    condition: selection_keywords and selection_urls
falsepositives:
    - Legitimate business communications using file sharing services
    - Established vendor relationships
level: medium

Rule 2: Email Thread Hijacking with Unexpected Links

Detects potential email thread hijacking where legitimate conversation suddenly includes unexpected links

title: Email Thread Hijacking Containing Malicious URLs
id: b2g3h4i5-j6k7-5l8m-9n0o-1p2q3r4s5t6u
status: experimental
description: Detects potential email thread hijacking
tags:
    - attack.initial_access
    - attack.t1534
logsource:
    product: email_gateway
    service: mail
detection:
    selection_thread:
        header_in_reply_to: '*'
    selection_external:
        sender_domain_external: true
    selection_url:
        body|contains: 'http'
    selection_freight:
        body|contains:
            - 'attached document'
            - 'please review'
            - 'rate sheet'
            - 'load details'
    condition: selection_thread and selection_external and selection_url and selection_freight
falsepositives:
    - Legitimate external vendor communications in ongoing threads
level: medium

Rule 3: Fraudulent Load Postings or Unbooked Load References

Detects emails referencing loads not in current systems or unexpected load documentation

title: Email References to Unbooked or Unknown Loads
id: c3h4i5j6-k7l8-6m9n-0o1p-2q3r4s5t6u7v
status: experimental
description: Detects emails referencing loads not in current systems
tags:
    - attack.initial_access
    - attack.t1566.002
logsource:
    product: email_gateway
    service: mail
detection:
    selection_sender:
        sender_domain_external: true
    selection_load_ref:
        subject|contains:
            - 'load #'
            - 'shipment #'
            - 'confirmation'
            - 'pickup confirmation'
    selection_attachment:
        attachment_extension:
            - '.zip'
            - '.rar'
            - '.iso'
            - '.exe'
    condition: selection_sender and selection_load_ref and selection_attachment
falsepositives:
    - New broker relationships
    - Legitimate load confirmations from unknown sources
level: high
🔧

RMM Tool Installation Detection

Critical

Rule 4: Unauthorized RMM Tool Installation

Detects installation of RMM tools commonly used in cargo theft operations

title: Unauthorized Remote Monitoring and Management Tool Installation
id: d4i5j6k7-l8m9-7n0o-1p2q-3r4s5t6u7v8w
status: experimental
description: Detects installation of RMM tools commonly used in cargo theft operations
tags:
    - attack.command_and_control
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        Image|endswith:
            - '\SimpleHelp.exe'
            - '\ScreenConnect.ClientService.exe'
            - '\LogMeIn.exe'
            - '\NAble.exe'
            - '\RemoteUtilities.exe'
            - '\FleetDeck.exe'
            - '\PDQConnect.exe'
    selection_commandline:
        CommandLine|contains:
            - 'SimpleHelp'
            - 'ScreenConnect'
            - 'ConnectWise'
            - 'N-able'
            - 'LogMeIn'
    condition: selection_image or selection_commandline
falsepositives:
    - Legitimate IT support installations
    - Authorized remote administration
level: high

Rule 5: RMM Tool Network Connections

Detects network connections from RMM software to external infrastructure

title: RMM Tool Establishing Outbound Connections
id: e5j6k7l8-m9n0-8o1p-2q3r-4s5t6u7v8w9x
status: experimental
description: Detects network connections from RMM software to external infrastructure
tags:
    - attack.command_and_control
    - attack.t1219
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\SimpleHelp.exe'
            - '\ScreenConnect.ClientService.exe'
            - '\LogMeIn.exe'
            - '\NAble.exe'
            - '\FleetDeck.exe'
        DestinationPort:
            - 443
            - 8080
            - 8443
    filter_internal:
        DestinationIp|startswith:
            - '10.'
            - '172.16.'
            - '192.168.'
    condition: selection and not filter_internal
falsepositives:
    - Approved RMM tool usage by IT department
level: medium
🔐

Authentication Anomaly Detection

High

Rule 6: Unusual VPN Connections Outside Business Hours

Detects VPN connections occurring outside expected business hours

title: VPN Access Outside Normal Business Hours
id: f6k7l8m9-n0o1-9p2q-3r4s-5t6u7v8w9x0y
status: experimental
description: Detects VPN connections occurring outside expected business hours
tags:
    - attack.initial_access
    - attack.t1078
logsource:
    product: vpn
    service: authentication
detection:
    selection:
        EventID: 4624
        LogonType: 10
    timeframe:
        EventTime|lt: '06:00:00'
        EventTime|gt: '22:00:00'
    condition: selection and timeframe
falsepositives:
    - After-hours maintenance windows
    - On-call support staff
    - Global operations with multiple time zones
level: medium

Rule 7: Multiple Concurrent VPN Sessions from Single User

Detects multiple simultaneous VPN sessions from same user account indicating potential credential compromise

title: Multiple Concurrent VPN Sessions from Single User Account
id: g7l8m9n0-o1p2-0q3r-4s5t-6u7v8w9x0y1z
status: experimental
description: Detects multiple simultaneous VPN sessions from same user account
tags:
    - attack.initial_access
    - attack.credential_access
    - attack.t1078
logsource:
    product: vpn
    service: authentication
detection:
    selection:
        EventID: 4624
        LogonType: 10
    condition: selection | count(SourceIP) by UserName > 1
    timeframe: 5m
falsepositives:
    - Users with multiple devices
    - Connection drops and reconnections
level: high

Rule 8: VPN Access from Unexpected Geographic Locations

Detects VPN access from geographic locations inconsistent with user baseline

title: VPN Authentication from Unexpected Geographic Location
id: h8m9n0o1-p2q3-1r4s-5t6u-7v8w9x0y1z2a
status: experimental
description: Detects VPN access from geographic locations inconsistent with user baseline
tags:
    - attack.initial_access
    - attack.t1078
logsource:
    product: vpn
    service: authentication
detection:
    selection:
        EventID: 4624
        LogonType: 10
    filter_approved_countries:
        SourceCountry:
            - 'US'
            - 'CA'
            # Add approved countries for your organization
    condition: selection and not filter_approved_countries
falsepositives:
    - Employees traveling internationally
    - Remote workforce in various countries
level: medium
📊

TMS and Operational System Access Detection

High

Rule 9: Bulk Data Extraction from TMS Systems

Detects unusual bulk extraction of shipment data from TMS databases

title: Bulk Shipment Data Extraction from Transportation Management System
id: i9n0o1p2-q3r4-2s5t-6u7v-8w9x0y1z2a3b
status: experimental
description: Detects unusual bulk extraction of shipment data from TMS databases
tags:
    - attack.collection
    - attack.t1213
logsource:
    product: database
    service: mssql
detection:
    selection_query:
        CommandType: 'SELECT'
        TableName|contains:
            - 'shipment'
            - 'load'
            - 'cargo'
            - 'freight'
    selection_volume:
        RowsReturned: '>1000'
    condition: selection_query and selection_volume
falsepositives:
    - Legitimate reporting queries
    - Business intelligence operations
    - Data warehouse ETL processes
level: medium

Rule 10: TMS Database Access from Unexpected IP Addresses

Detects database connections to TMS from unusual or external IP addresses

title: TMS Database Access from Unexpected Source
id: j0o1p2q3-r4s5-3t6u-7v8w-9x0y1z2a3b4c
status: experimental
description: Detects database connections to TMS from unusual or external IP addresses
tags:
    - attack.initial_access
    - attack.lateral_movement
logsource:
    product: database
    service: authentication
detection:
    selection:
        EventType: 'Login'
        DatabaseName|contains:
            - 'TMS'
            - 'Dispatch'
            - 'Transport'
            - 'Freight'
    filter_approved:
        SourceIP|startswith:
            - '10.'
            - '172.16.'
            - '192.168.'
            # Add approved IP ranges
    condition: selection and not filter_approved
falsepositives:
    - Cloud-based TMS platforms
    - Remote workforce accessing systems
    - Third-party integrations
level: high

Rule 11: Unusual Load Assignment Changes

Detects changes to load assignments or routing not initiated by authorized dispatchers

title: Unexpected Load Assignment or Routing Modifications
id: k1p2q3r4-s5t6-4u7v-8w9x-0y1z2a3b4c5d
status: experimental
description: Detects changes to load assignments or routing not initiated by authorized dispatchers
tags:
    - attack.impact
    - attack.t1565
logsource:
    product: application
    service: tms
detection:
    selection:
        EventType:
            - 'LoadUpdate'
            - 'RouteModification'
            - 'CarrierAssignment'
    filter_authorized:
        UserRole:
            - 'Dispatcher'
            - 'Operations Manager'
            - 'System Admin'
    condition: selection and not filter_authorized
falsepositives:
    - Automated system processes
    - Emergency load reassignments
level: high
🔑

Credential Access Detection

Critical

Rule 12: Credential Harvesting Tool Execution

Detects execution of credential stealing tools including WebBrowserPassView

title: Credential Harvesting Tools Used in Cargo Theft Operations
id: l2q3r4s5-t6u7-5v8w-9x0y-1z2a3b4c5d6e
status: experimental
description: Detects execution of credential stealing tools including WebBrowserPassView
tags:
    - attack.credential_access
    - attack.t1555
    - attack.t1552
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        Image|endswith:
            - '\mimikatz.exe'
            - '\lazagne.exe'
            - '\pwdump.exe'
            - '\WebBrowserPassView.exe'
    selection_commandline:
        CommandLine|contains:
            - 'sekurlsa::logonpasswords'
            - 'vault::cred'
            - 'chrome::passwords'
            - 'firefox::passwords'
            - 'WebBrowserPassView'
    condition: selection_tools or selection_commandline
falsepositives:
    - Security assessment activities
    - Penetration testing
level: critical

Rule 13: Browser Credential Store Access

Detects unusual access to browser credential storage locations

title: Suspicious Access to Browser Password Stores
id: m3r4s5t6-u7v8-6w9x-0y1z-2a3b4c5d6e7f
status: experimental
description: Detects unusual access to browser credential storage locations
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    category: file_access
    product: windows
detection:
    selection_chrome:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\Google\Chrome\User Data\Default\Cookies'
    selection_firefox:
        TargetFilename|contains:
            - '\Mozilla\Firefox\Profiles\'
            - 'logins.json'
            - 'key4.db'
    selection_edge:
        TargetFilename|contains:
            - '\Microsoft\Edge\User Data\Default\Login Data'
    filter_browsers:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    condition: (selection_chrome or selection_firefox or selection_edge) and not filter_browsers
falsepositives:
    - Password manager applications
    - Browser backup utilities
level: high
🔍

Discovery and Reconnaissance Detection

Medium

Rule 14: Reconnaissance of Dispatch and TMS Systems

Detects reconnaissance activity focused on transportation and dispatch systems

title: System Discovery Activity Targeting Freight Operations
id: n4s5t6u7-v8w9-7x0y-1z2a-3b4c5d6e7f8g
status: experimental
description: Detects reconnaissance activity focused on transportation and dispatch systems
tags:
    - attack.discovery
    - attack.t1083
    - attack.t1057
logsource:
    category: process_creation
    product: windows
detection:
    selection_commands:
        CommandLine|contains:
            - 'dir C:\Program Files\*TMS*'
            - 'dir C:\Program Files\*Dispatch*'
            - 'dir C:\Program Files\*Load*'
            - 'tasklist | findstr'
            - 'net view'
            - 'net use'
    selection_processes:
        CommandLine|contains:
            - 'query user'
            - 'qwinsta'
            - 'systeminfo'
    condition: selection_commands or selection_processes
falsepositives:
    - System administration activities
    - Inventory management scripts
level: medium

📊 Correlation Opportunities

Consider creating correlation rules that fire when multiple conditions occur:

  • RMM tool installation + VPN access anomaly = HIGH priority alert
  • Email with suspicious links + Credential access = Potential compromise
  • Bulk data extraction + Large cloud upload = Data exfiltration attempt

Emerging Threats Signatures

Organizations can implement the following Proofpoint Emerging Threats signatures for network-level detection:

ET SID Description
2837962 ScreenConnect - Establish Connection Attempt
2050021 Observed DNS Query to Known ScreenConnect/ConnectWise Domain
2054938 PDQ Remote Management Agent Checkin
2065069 Observed RMM Domain in DNS Lookup (n-able .com)
2049863 simplehelp Remote Access Software Activity
2047669 fleetdeck Remote Management Software Domain in DNS Lookup

📞 REPORTING AND RESOURCES

Incident Reporting

Organizations experiencing cargo theft enabled by cyber intrusion should report to:

🚨 Report Incidents To:

Industry Resources

Law Enforcement Contacts

  • FBI Field Offices: Contact local field office for cargo theft investigations
  • State Fusion Centers: Regional threat information sharing
  • Local Law Enforcement: File reports for physical theft incidents

💡 CONCLUSION

The convergence of cybercrime and organized crime in freight cargo theft operations represents a significant evolution in threat actor monetization strategies. Unlike traditional cybercrime that targets data or demands ransom, these operations leverage digital access to facilitate physical theft of tangible goods valued in the billions annually.

The sophistication demonstrated—from detailed knowledge of freight operations to the use of legitimate remote access tools—indicates well-resourced threat actors with specific industry expertise. The coordination between digital compromise and physical crime execution suggests partnerships between cybercriminals and traditional organized theft groups.

🎯 Key Takeaway

Organizations in the freight, logistics, and transportation sectors must recognize that their operational systems are now direct targets for adversaries seeking financial gain through cargo theft.

Traditional physical security measures are insufficient when threat actors can digitally manipulate bookings, access shipment intelligence, and coordinate theft operations remotely.

Priority should be given to implementing multi-factor authentication, enhancing email security, establishing behavioral monitoring, and creating industry-specific threat awareness programs. As this threat continues to evolve, information sharing within the freight industry and collaboration with law enforcement will be critical to disrupting these operations and holding threat actors accountable.

Cyber Threat Bulletin: Cargo Theft Attack Chain

Version 1.1 | Published: November 19, 2025

This bulletin incorporates research from Proofpoint and industry partners.

For questions or additional information, contact: info@phishcloud.com

Scroll to Top