Security researchers recently spent a month observing the activities of cybercriminals targeting the trucking and logistics sector, uncovering a concerning trend of cyber-enabled cargo theft and financial exploitation. ### Inside the Operation: A Month-Long Investigation The **Proofpoint** team's research, a follow-up to their previous findings, aimed to understand the post-compromise playbook of these threat actors. Their work highlights the increasing threat of cyber-enabled cargo theft, which is closely linked to organized crime. According to **Geotab**, losses from cargo theft in North America reached $6.6 billion in 2025, largely fueled by digital attacks. "It’s a huge problem beyond just one actor or one country,” said **Ole Villadsen**, one of the **Proofpoint** researchers. ### Decoy Environment Exposes Criminal Tactics Using a controlled environment, the team intentionally downloaded a malicious payload sent via email to transportation carriers. This occurred after the cybercriminals had compromised a load board platform, a marketplace connecting freight brokers and shippers. Upon gaining access, the attackers installed six remote access tools, including multiple **ScreenConnect** instances, likely as a redundancy measure. ### Novel 'Signing-as-a-Service' Technique The most surprising discovery was the use of a script that automatically queried an external certificate signing service. This allowed all installed components to be signed with a trusted certificate, effectively bypassing Windows security measures. "This was a new capability that we were lucky enough to encounter,” said **Villadsen**. He believes this “signing-as-a-service” tool is an adaptation to recent security measures implemented by **ScreenConnect**, which required new instances to sign an installer. "So rather than everybody trying to create their own certificate, we can have this kind of secret little signing-as-a-service process,” he explained. “Not only was the MSI [**Microsoft** Installer] signed, but it would also go out and replace all the component files and re-sign them as well. The whole thing was thought out pretty well.” ### Beyond Cargo Theft: Financial Targeting Researchers observed that the hackers were not solely focused on cargo theft but also engaged in broader financial targeting. They actively scanned for cryptocurrency wallets and **PayPal** credentials. A **PowerShell** script searched for access points to financial institutions, money transfer services, online accounting platforms, load management platforms, freight brokerage platforms, and fuel card providers. “They know the transportation industry really, really well for sure and know how to target that particular space,” **Villadsen** noted. “But they're also cybercriminals, and they're looking for any way that they can monetize a workstation that they've landed on.” ### A Widespread Threat While this particular group is highly active in infiltrating load boards, they are just one of many exploiting vulnerabilities in the trucking industry. **Villadsen** and his team are tracking approximately a dozen different groups targeting the sector in North America and Europe. The vulnerability of the industry stems from the fact that the vast majority of carriers are small enterprises with limited cybersecurity resources. By targeting them through load boards, hackers can compromise numerous carriers simultaneously. “It’s an industry that unfortunately presents itself well to cyber intrusions and being able to escalate or scale the theft really well,” **Villadsen** concluded. html <a rel="noopener" href="https://www.recordedfuture.com/?utm_source=therecord&amp;utm_medium=ad"><figure><img src="https://cms.therecord.media/uploads/2025_0514_Record_Ads_970x250_1_d144dbf901.png" data-nimg="1" decoding="async" height="500" width="1000" alt="Recorded Future"></figure></a>