RMM Tools in Cargo Supply Chain Attacks

Financially motivated cyber gangs are working with organized crime to steal massive amounts of cargo through the abuse of remote monitoring tools, according to a report released Monday, November 3rd.

The risk of cargo theft is a major concern to the logistics industry, leading to an average of $34 billion in losses per year. Cargo theft losses rose 27% in 2024 and have been projected to increase by another 22% throughout 2025.

Since industry leaders have been increasingly focused on combating the role that cyber plays in targeting vulnerable supply chains, today, we're breaking down what to know about the ongoing cargo theft campaigns in the trucking and freight industry.

Organized Cargo Theft Campaigns: What to Know

The threat actors in question, operating at least since June 2025, but possibly dating back to January, have used remote monitoring and management tools such as ScreenConnect or SimpleHelp to gain access to targeted trucking carriers or freight brokers, conduct reconnaissance activity and then use harvesting tools to steal credentials.

A separate campaign, running from 2024 through March 2025, involved hackers using DanaBot, NetSupport, or LummaStealer to target ground transportation companies. DanaBot is malware that has been used in botnets and was linked to a Russia-based cybercrime operation.

“The bad actors are using tried and true methodologies that stem from social engineering, as they are proven effective. Phishing and smishing campaigns as well as business email compromises still are the number one entry points into a system,” Artie Crawford, director of cybersecurity at the National Motor Freight Traffic Association, said in a recent statement.

The Role of RMM Tools in Cargo Supply Chain Attacks

The threat cluster engaged in suspected cargo theft has been active since at least June 2025, though evidence suggests the group’s campaigns began as early as January. The actos have delivered a range of RMM tools (or in some cases remote access software), including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve.

These RMMs/RAS are often used in tandem; for example, PDQ Connect has been observed downloading and installing both ScreenConnect and SimpleHelp. Once initial access is established, the threat actor conducts system and network reconnaissance and deploys credential harvesting tools such as WebBrowserPassView. This activity indicates a broader effort to compromise accounts and deepen access within targeted environments.

Researchers have identified related network infrastructure and similar tactics, techniques, and procedures (TTPs) in campaigns delivering NetSupport and ScreenConnect going back to January 2025, suggesting a longer operational timeline. Separately, from 2024 through March 2025, Proofpoint also tracked a threat actor targeting ground transportation organizations distributing DanaBot, NetSupport, Lumma Stealer, and StealC,.

While it's possible these activity clusters are related, this cannot be proved at the time of publication. All appear to have knowledge about the software, services, and policies around how the cargo supply chain operates. Regardless of the ultimate payload, stealers and RMMs serve the same purpose: remotely access the target to steal information.

However, using RMM tools can enable threat actors to fly further under the radar. Threat actors can create and distribute attacker-owned remote monitoring tools, and because they are often used as legitimate pieces of software, end users might be less suspicious of installing RMMs than other remote access trojans. Additionally, such tooling may evade anti-virus or network detections because the installers are often signed, legitimate payloads distributed maliciously.

Cargo theft actors using RMMs aligns with an overall shift in the cybercrime landscape where threat actors increasingly are adopting RMMs as a first-stage payload.

In just the last two months, Proofpoint has observed nearly two dozen campaigns, with volumes ranging from less than 10 to over 1,000 messages per campaign.

The Rise of Organized Cargo Theft

Organized theft became a major focus for the trucking and freight industry during the COVID-19 pandemic, as global supply chains were constrained and resulted in lengthy backlogs at major port facilities.

In these campaigns, attackers compromise what is called a broker load board account, which is used by trucking firms to search for available trucks. In certain cases, the hackers will post a fraudulent freight listing on a compromised account, followed by sending an email with a malicious URL to the firm that inquires about the listing.

In other cases, the attackers will use compromised email accounts to inject malicious content into an existing conversation. A third method involves sending direct email campaigns to asset-based carriers or freight-brokerage firms.

Conclusion

In summary:

• Cybercriminals are compromising trucking and freight companies in elaborate attack chains to steal cargo freight.

• Cargo theft is a multi-million-dollar criminal enterprise, and digital transformation has led to an increase in cyber-enabled theft.

• Threat actors compromise these companies and use their access to bid on cargo shipments, to then steal and sell them.

• The threat actors typically deliver remote monitoring and management (RMM) tools, aligning with the broader trend of cybercriminals adopting these as a first-stage payload across the threat landscape.

In today's threat landscape, continuous penetration testing has never been more critical. Take the next step towards fortifying your organization's security posture today.