Cargo thieving hackers running sophisticated remote access campaigns, researchers find

Security researchers recently spent a month getting a first-hand look at the activity of cybercriminals targeting the trucking and logistics industry.

The researchers, from cybersecurity firm Proofpoint, previously described how threat actors gain access to companies in the shipping industry to steal cargo and siphon payments — but their new research sought to answer the question of what exactly happens after they get their feet in the door. 

The work sheds light on the growing threat of cyber-enabled cargo theft and its links to organized crime. Losses from cargo theft in North America rose to $6.6 billion in 2025, driven largely by digital attacks, according to the fleet management company Geotab.

“It’s a huge problem beyond just one actor or one country,” said Ole Villadsen, one of the Proofpoint researchers.  

Using a controlled decoy environment, his team intentionally downloaded a malicious payload sent by email to transportation carriers after the cybercriminals had compromised a load board platform, a marketplace where freight brokers and shippers connect to arrange the movement of cargo. 

After getting access, the cybercriminals installed six separate remote access tools, including four ScreenConnect instances, which researchers believe was an attempt to maintain remote control in case any of them were taken down. 

The last downloaded ScreenConnect tool presented a surprise: the use of a script that automatically queried an external certificate signing service. This enabled all installed components to be signed with a certificate that Windows perceived to be trusted. 

“This was a new capability that we were lucky enough to encounter,” said Villadsen. He believes the “signing-as-a-service” tool is an adaptation to recent security efforts by ScreenConnect to revoke existing certificates and require new instances of the software to sign an installer, which “disrupted the whole RMM [remote monitoring and management] ecosystem significantly.”

“So rather than everybody trying to create their own certificate, we can have this kind of secret little signing-as-a-service process,” he said. “Not only was the MSI [Microsoft Installer] signed, but it would also go out and replace all the component files and re-sign them as well. The whole thing was thought out pretty well.” 

Another thing that jumped out to Villadsen was the way in which the hackers seemed to not just be working to steal cargo but also to carry out “broader financial targeting and theft.”

They scanned for cryptocurrency wallets and manually checked for PayPal credentials. A PowerShell script on the infected device scanned for access points to financial institutions, money transfer services and online accounting platforms. It also searched for load management and freight brokerage platforms, as well as fuel card providers.  

“They know the transportation industry really, really well for sure, and know how to target that particular space,” he said. “But they’re also cybercriminals, and they’re looking for any way that they can monetize a workstation that they’ve landed on.” 

While this threat group is one of the most prolific at infiltrating load boards to deliver payloads, it is one of many cashing in on a vulnerable space. Villadsen says he and his team are tracking about a dozen different groups targeting the sector in North America and in Europe. 

With the vast majority of carriers being small enterprises with fewer than 10 trucks, they may not have robust cybersecurity defenses. By targeting them through load boards, hackers can infiltrate dozens or even hundreds of carriers at a time. 

“It’s an industry that unfortunately presents itself well to cyber intrusions and being able to escalate or scale the theft really well,” he said.

Learn more.