What happened
Proofpoint researchers spent a month inside a controlled decoy environment to observe how cybercriminals targeting the trucking and logistics sector operate after gaining initial access. The threat actors gained entry by compromising a load board platform — an online marketplace connecting freight brokers and shippers — and then delivered malicious payloads to transportation carriers via email. Once inside, the attackers installed six separate remote access tools, including four ScreenConnect instances, apparently to maintain persistence if any individual tool was removed. Researchers also identified a novel capability: a script that automatically queried an external certificate signing service, allowing all installed components to be signed with certificates that Windows recognized as trusted. Proofpoint described this as a “signing-as-a-service” adaptation designed to circumvent recent security measures by ScreenConnect requiring new certificate signing. Beyond cargo theft, the attackers scanned for cryptocurrency wallets, checked for PayPal credentials, and ran a PowerShell script targeting financial institutions, money transfer services, online accounting platforms, fuel card providers, and freight brokerage systems. Losses from cargo theft in North America reached $6.6 billion in 2025, driven largely by digital attacks. Proofpoint is currently tracking approximately a dozen groups targeting the sector across North America and Europe.
Who is affected
Trucking carriers and freight brokers are the primary targets, with small carriers — the majority of the industry, most operating fewer than 10 trucks — particularly exposed due to limited cybersecurity resources. Compromising load board platforms allows attackers to reach dozens or hundreds of carriers simultaneously, amplifying the scale of individual intrusions.
Why CISOs should care
The signing-as-a-service capability represents a meaningful escalation in attacker tradecraft, allowing malicious remote access tools to bypass certificate-based trust controls at scale. The broader financial targeting beyond cargo theft — spanning crypto wallets, payment platforms, and accounting systems — means organizations in logistics face exposure well beyond operational disruption. With roughly a dozen active threat groups working this sector, this is an organized, scalable criminal ecosystem, not isolated opportunism.
3 practical actions
- Scrutinize remote monitoring and management tool installations: Audit which RMM tools are present in your environment, verify they were authorized, and investigate any instances that appeared outside of a known deployment or change window.
- Monitor for certificate anomalies: Watch for executables or installers signed with certificates from unfamiliar or recently issued authorities, particularly where signing occurred close to the time of deployment.
- Assess load board and freight platform access controls: If your organization connects to load board or freight brokerage platforms, review authentication controls, session monitoring, and the permissions granted to those integrations.
For more news about malicious code, implants, and evolving attacker tradecraft, click Malware to read more.