Cybercriminals Hijack RMM Tools to Steal Physical Cargo

A new wave of sophisticated cyberattacks is targeting the logistics and trucking industry, with criminals using remote monitoring and management (RMM) tools to hijack freight shipments and steal physical cargo. Security researchers at Proofpoint have identified ongoing campaigns where attackers pose as legitimate freight brokers to deceive companies into installing these tools, granting them full control over corporate systems.

The scheme, active since at least June 2025, involves posting fraudulent shipping jobs on online load boards. When trucking firms or independent carriers express interest, the criminals respond with emails containing malicious links. These messages direct users to download files that secretly install RMM software such as SimpleHelp, N-able, ScreenConnect, and others. The attackers also hijack existing email conversations from compromised accounts or send malicious links directly to freight brokers and supply chain providers.

By gaining access through these methods, threat actors can identify high-value shipments and uncover additional opportunities for fraud. The deceptive emails and landing pages are carefully crafted to appear authentic, often using common transportation terminology and mimicking well-known industry brands to avoid raising suspicion.

Once an RMM tool is installed on a victim’s computer, attackers achieve extensive remote access. They can search for sensitive operational data, compromise accounts used on load boards, and gather insider knowledge to pinpoint lucrative freight loads. According to researchers, the threat actors do not focus on specific companies but instead target organizations of all sizes, from small family-run operations to major transport corporations. Their approach is highly opportunistic, seeking to compromise any carrier that responds to a fake listing.

Proofpoint analysts believe these cybercriminals are likely collaborating with organized crime groups, leveraging digital methods to carry out traditional cargo theft. Cargo theft is a multi-million-dollar criminal enterprise, and the shift toward “cyber-enabled” theft relies heavily on social engineering and in-depth knowledge of transportation industry practices. This method has become one of the most common forms of freight theft today.

There is also suspicion that the same groups may have previously used information-stealing malware in similar campaigns. Switching to RMM tools represents a strategic escalation, these applications are less likely to be flagged by security software and provide persistent, live access to infected systems, offering far greater control than typical malware.

To defend against these threats, companies should adopt several protective measures. Only allow RMM software that has been explicitly approved by corporate IT teams, and block or monitor any attempts to install unauthorized tools. Implement network monitoring to detect connections to known RMM servers. Employee training is equally critical, staff should be instructed never to download or run .exe or .msi files from unknown external senders and should report any suspicious emails or activity to their security department immediately.

Staying informed through reliable cybersecurity news sources can also help organizations remain aware of emerging threats and tactics used by these sophisticated criminal networks.

(Source: HelpNet Security)