Cybercriminals are increasingly setting their sights on trucking and logistics companies, using remote monitoring and management (RMM) tools as a stealthy weapon to infiltrate networks and steal valuable cargo.
According to new research from Proofpoint, a threat cluster active since June 2025 has been collaborating with organized crime groups to execute cyber-enabled freight thefts, particularly targeting food and beverage shipments.
Once inside a company’s systems, attackers leverage legitimate RMM software to gain persistent remote access, manipulate freight bookings, and ultimately steal physical goods that are resold online or shipped overseas.
How the Attacks Work
The campaigns begin with spear-phishing emails and compromised accounts—particularly those belonging to asset-based carriers, freight brokers, and supply chain providers.
Attackers hijack existing business conversations or post fraudulent freight listings using hacked accounts on load boards to lure victims. When a legitimate carrier inquires about a load, they receive a reply containing a malicious URL disguised as a shipping document or bid form.
Clicking the link downloads booby-trapped MSI installers or executables that deploy legitimate RMM tools such as:
- ScreenConnect
- SimpleHelp
- PDQ Connect
- Fleetdeck
- N-able
- LogMeIn Resolve
In several cases, attackers used PDQ Connect to install other RMMs like ScreenConnect and SimpleHelp, layering tools to expand control.
From Access to Cargo Theft
Once remote access is established, the attackers perform system reconnaissance and deploy credential stealers like WebBrowserPassView to capture additional passwords and deepen network access.
In one confirmed case, the intruders deleted legitimate freight bookings, blocked dispatcher notifications, and added their own devices to dispatch systems—allowing them to impersonate carriers and book shipments under stolen identities.
They then coordinated transportation for the stolen loads, effectively turning cyber intrusion into real-world theft.
Why RMM Tools Are Attractive to Threat Actors
The use of legitimate RMM software offers attackers several key advantages:
- No custom malware needed – RMMs are ready-made, powerful, and easy to deploy.
- Low detection rate – Because RMMs are widely used by IT teams, antivirus and EDR solutions often don’t flag them.
- User trust – Employees are less suspicious of installing familiar remote management tools than unknown trojans.
- Signed binaries – Installers are typically digitally signed, helping them bypass security filters.
Proofpoint previously warned that attacker-owned RMM tools are becoming a popular method to gain initial access while staying under the radar. This trend highlights the growing blur between legitimate IT software and malicious use.
How to Protect Your Organization
To defend against these cyber-enabled cargo theft schemes, logistics and transportation companies should:
- Educate employees about phishing tactics, especially fraudulent freight listings.
- Verify all load board communications directly through trusted platforms.
- Restrict RMM usage to authorized IT staff and require multi-factor authentication (MFA) for all administrative access.
- Implement application whitelisting to block unauthorized installations.
- Monitor network activity for unusual RMM connections or unexpected remote sessions.
- Regularly audit freight management systems for unauthorized changes or deleted bookings.
The Bigger Picture: Cyber Meets Physical Theft
These campaigns mark a dangerous evolution in cybercrime—where digital compromise leads to tangible, real-world losses.
By combining social engineering, compromised credentials, and remote tools, cybercriminals are bridging the gap between virtual breaches and physical theft, exploiting the trust and urgency that define the logistics industry.
As RMM abuse continues to rise, cybersecurity teams must adopt zero-trust principles, tighten access control, and ensure that every remote connection—no matter how legitimate it looks—is continuously verified.
Final Thoughts
The latest Proofpoint findings show that cyber-enabled freight theft is no longer a theoretical risk—it’s an active, profitable operation targeting the global supply chain.
Trucking and logistics firms, often underprotected, have become high-value targets for attackers using tools meant for IT support and maintenance.
Raising awareness, enforcing access controls, and monitoring RMM activity can go a long way in ensuring that your next shipment doesn’t become someone else’s profit.
Key Takeaways
- Attackers use legitimate RMM tools (ScreenConnect, PDQ Connect, etc.) to infiltrate logistics networks.
- Phishing and hijacked load board accounts are the main delivery methods.
- The ultimate goal is real-world cargo theft—not just data exfiltration.
- Companies should limit RMM usage, verify freight listings, and enhance monitoring to reduce risk.
