Digital Highwaymen: Hackers Use RMM Tools to Hijack Physical Cargo Shipments
Cybercriminals have discovered a way to exploit digital tools to steal tangible goods from trucks and warehouses. According to researchers at Proofpoint, since the beginning of 2025, an active criminal group has been targeting transportation and logistics companies across North America. After gaining access to carriers’ internal systems, the attackers participate in legitimate freight tenders, win contracts, and then physically hijack shipments—reselling them online or exporting them abroad.
Proofpoint’s findings indicate that these are not isolated incidents but part of a broader series of coordinated campaigns in which digital deception conceals traditional criminal operations. The scheme typically begins with social engineering: attackers compromise broker accounts on freight exchange platforms where shipping requests are posted, create fraudulent listings, and send malicious links to carriers responding to fake offers. Another technique involves hijacking genuine correspondence—using stolen credentials to insert malicious links into ongoing email threads. In some cases, large-scale phishing campaigns are directed at major transportation firms and brokers alike.
When a victim downloads a malicious attachment, remote monitoring and management (RMM) software—such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, or LogMeIn Resolve—is silently installed. These legitimate enterprise tools are commonly used for IT maintenance, which often prevents users from suspecting foul play. In some cases, PDQ Connect automatically downloads and launches additional applications such as ScreenConnect or SimpleHelp. Once installed, attackers conduct reconnaissance, harvest credentials using utilities like WebBrowserPassView, and expand their foothold within the victim’s infrastructure.
RMM tools are becoming increasingly popular in the cybercriminal underworld. Unlike traditional malware, they enable stealthier operations: signed installers evade antivirus detection, and their network traffic appears legitimate. Using such tools, attackers can remotely control compromised systems, delete shipping orders, redirect dispatcher notifications, and even book deliveries under the guise of real logistics companies. Proofpoint cited one case in which criminals added their own device to a carrier’s communication network, canceled genuine routes, and arranged new shipments to serve their own ends.
Researchers have traced the group’s activity back to at least June 2025, with infrastructure and tactics suggesting ties to earlier campaigns dating to January. Proofpoint has previously observed similar schemes in which fraudsters posed as logistics firms to steal medical equipment and electronics. The current wave of attacks likely follows the same pattern but employs modern RMM software instead of classic remote trojans such as NetSupport or DanaBot.
Judging by the scale, the attackers act opportunistically—targeting both small family-owned transporters and large logistics corporations. Proofpoint recorded around twenty campaigns in August and September alone, with email volumes ranging from a handful to over a thousand per campaign. To deceive their victims, criminals create fake websites mimicking well-known brands or transport portals to enhance credibility. Their ultimate goal is to gain control of company accounts, participate in legitimate tenders, and intercept shipments.
The financial toll of such schemes is enormous. The U.S. National Insurance Crime Bureau estimates annual cargo theft losses at $34 billion. In 2024, the number of such crimes rose by 27%, and 2025 is projected to see an additional 22% increase. Industries that have undergone digital transformation are particularly vulnerable: while automation and electronic booking systems simplify logistics operations, they also open new avenues for exploitation. Today, stealing cargo no longer requires breaking into a warehouse—intercepting an electronic order and rerouting a shipment remotely can suffice.
These schemes are not confined to the United States. According to Munich RE, major hotspots of cargo theft include Brazil, Mexico, India, Germany, Chile, and South Africa. The most frequently stolen goods are food, beverages, and electronics. Digital fraudsters increasingly collaborate with traditional criminal networks, which provide the logistics, storage, and resale channels for stolen merchandise.
Proofpoint emphasizes that this new wave of attacks illustrates the convergence of cybercrime and conventional organized crime. Where truck hijacking once required physical intervention, a compromised office laptop now suffices. Criminals have effectively become “cyber couriers,” masquerading as legitimate players within the logistics market.
Researchers stress that combating this phenomenon demands a comprehensive approach. Organizations should restrict the installation of any RMM software without IT administrator approval, monitor network traffic, and deploy Emerging Threats rules to detect connections to suspicious servers. They should block the execution of .exe and .msi files received via external email and train staff to recognize phishing attempts.
Proofpoint warns that this trend is likely to intensify: the number of cyberattacks tied to real-world cargo theft is rising, and their reach is expanding geographically. As cybercriminals increasingly rely on legitimate administrative tools to execute their schemes, companies must focus not only on protecting data but also on safeguarding the physical security of their supply chains.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
