Hackers Weaponize Remote Tools to Hijack Cargo Freight TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityAI Developed Code: 5 Critical Security Checkpoints for Human OversightAI Developed Code: 5 Critical Security Checkpoints for Human OversightbyMatias MadouNov 3, 20254 Min ReadCyber RiskZombie Projects Rise Again to Undermine SecurityZombie Projects Rise Again to Undermine SecuritybyRobert Lemos, Contributing WriterOct 30, 20257 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLIdentity & Access Management SecurityData PrivacyPerimeterCyberattacks & Data BreachesNewsHackers Weaponize Remote Tools to Hijack Cargo FreightHackers Weaponize Remote Tools to Hijack Cargo FreightHackers Weaponize Remote Tools to Hijack Cargo FreightResearchers uncovered a new threat campaign in which attackers use RMM tools to steal physical cargo out of the supply chain.Alexander Culafi, Senior News Writer, Dark ReadingNovember 3, 20254 Min ReadSource: HA Photos via Alamy Stock PhotoThreat actors are using remote monitoring and management (RMM) tools to compromise trucking and freight companies, all in an effort to steal physical cargo.That's according to researchers from Proofpoint, which today published research describing how unnamed attackers compromise trucking and freight companies to bid on cargo shipments before stealing them. The hackers then ship this cargo overseas or sell it online, working with organized crime groups all the while. Since at least June 2025 and possibly going back months further, threat actors would compromise an account for a broker load board, which are used book loads for trucking companies. The threat actors would then publish a fake listing for a load, and reply with phishing links to the freight carriers that respond. Once attackers successfully phish a trucking company, they install remote access tools, bid on real truck loads to transport, and subsequently intercept the cargo from those real jobs. As cargo theft leads to an estimated $35 billion in losses each year, this kind of attack poses a risk to the supply chain unlike that commonly seen in cybersecurity research. That's not to say it's unheard of, however; Proofpoint published research surrounding a similar campaign in September 2024, though the security vendor was unable to tie the threat actors from those attacks to this more recent cluster. Related:1Password Addresses Critical AI Browser Agent Security GapHow Hackers Hack TruckersIn this campaign, the threat actors utilized a range of RMM tools to compromise victims, including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. Although not all tools were utilized in every single attack, Proofpoint said some attacks would utilize multiple tools in tandem (such as using PDQ Connect to download ScreenConnect and SimpleHelp). Hackers would get to this point through multiple means. Besides obtaining accounts on load boards, attackers would compromise email accounts and hijack ongoing threads with malicious links. Other times, the attackers would simply target carriers via direct phishing email campaigns. Broadly speaking, the threat cluster isn't picky with its targets."Based on campaigns observed by Proofpoint, the threat actor does not appear to attack specific companies, and targets range from small, family-owned businesses to large transport firms as described above," the report read. "The threat actor appears to be opportunistic about the carriers that it targets and will likely attempt to compromise any carrier who responds to the fake load posting."Related:Philippines Power Election Security With Zero-Knowledge ProofsOnce they have an initial foothold, the threat actor conducts additional reconnaissance with the goal of deepening access within target environments. The ultimate goal is to compromise a legitimate freight carrier and, as Proofpoint explained, "identify and bid on loads that are likely to be profitable if stolen."Ole Villadsen, staff threat researcher at Proofpoint and co-author of the report, tells Dark Reading that cargo is physically stolen in a few different ways. When hackers maliciously take ownership of a load, sometimes the truckers are working directly with the criminals. Other times, the criminals use a technique known as "double brokering" where loads are resold to a legitimate trucking company that believes they are transporting goods legitimately. "In all cases, these operations require people to be physically present to get their hands on the goods, and the goods will be delivered to a location or warehouse controlled by the criminals," Villadsen says. "We have also observed other types of cyber-enabled physical goods theft in which thieves will get goods shipped or delivered to warehouses or locations owned by mules to take delivery of the stolen goods and then resell them or further ship them overseas."Related:NIST Digital Identity Guidelines Evolve With Threat LandscapeA Threat to Supply-Chain SecurityAt a time when the global supply chain is constantly stressed due to geopolitical, economic, and technological reasons, any additional threat to its stability is worth taking note of. Dark Reading asked Proofpoint about the scale of a threat that cyber-assisted cargo theft poses on the supply chain. Selena Larson, staff threat researcher at Proofpoint and co-author of the report, explains that while the firm lacks precise numbers, "its effects are widespread and disruptive across the entire surface transportation supply chain." "Cyberattacks targeting transportation companies can interrupt individual shipments, leading to increased costs for shippers, while also delaying the delivery of goods and services," Larson says. "These disruptions often result in insurance claims, which can drive up premiums, costs that are ultimately passed on to consumers. Beyond the financial toll, cyber-enabled theft erodes trust within the supply chain, as organizations may hesitate to engage with partners who have previously been compromised."Proofpoint suggests that organizations at risk of cargo theft review the National Motor Freight Traffic Association Cargo Crime Reduction Framework. For all organizations attempting to fight RMM abuse, the vendor recommends restricting the download and installation of RMM tooling not approved by the organization's IT administrators, implementing network detections, refraining from downloading executable files delivered via email from external senders, and training users to identify and report suspicious activity. About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsThe NHI Buyers GuideExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Hackers are weaponizing remote monitoring and management (RMM) tools to disrupt the cargo freight supply chain, posing a significant risk to global trade. According to research published by Proofpoint in November 2025, cybercriminals are exploiting vulnerabilities within trucking and freight companies, utilizing tools like ScreenConnect, SimpleHelp, and PDQ Connect to steal physical cargo. This campaign, potentially ongoing since June 2025, involves phishing attacks targeting carrier accounts on load board sites, gaining access to systems and then bidding on legitimate truck loads to intercept the goods.

The threat actors, described as opportunistic and targeting a broad range of businesses from small family-owned operations to large transport firms, utilize a layered approach. Once access is gained, they conduct reconnaissance, aiming to deepen their access within the target environment, ultimately seeking to compromise a freight carrier and identify profitable loads for theft. Proofpoint’s research highlights several methods used by the attackers, including direct phishing email campaigns, hijacking of existing communication threads, and employing “double brokering” – reselling loads to unsuspecting carriers.

The stolen cargo is physically obtained through various methods, including direct collaboration with criminals or by utilizing the technique of “double brokering,” where loads are resold to legitimate companies who believe they’re transporting goods legitimately. The criminals physically take control of the goods, delivering them to locations or warehouses controlled by accomplices for further resale or export. This operation relies on individuals physically handling the goods, often delivered to locations controlled by “mules.”

The impact of such cyber-enabled cargo theft is substantial. While precise numbers remain elusive, Proofpoint suggests widespread disruption across the entire surface transportation supply chain. Disruptions to individual shipments can lead to increased costs for shippers, delayed deliveries, and insurance claims, ultimately impacting consumers. The risk escalates existing supply chain pressures caused by geopolitical uncertainties, economic fluctuations, and technological advancements.

To mitigate these risks, Proofpoint recommends organizations review the National Motor Freight Traffic Association Cargo Crime Reduction Framework and implement preventative measures, including restricting the download and install of unapproved RMM tools, deploying network detections, avoiding executable files from external senders, and training users to identify and report suspicious activity. The research underscores a critical vulnerability within the supply chain and stresses the need for proactive security measures to safeguard against this evolving threat.