This threat involves cybercriminal groups exploiting Remote Monitoring and Management (RMM) software to infiltrate logistics and freight companies, focusing on trucking and supply chain entities. Active since at least June 2025, these attackers collaborate with organized crime to steal physical cargo, predominantly food and beverage products. The attack vector includes spear-phishing emails that hijack legitimate email threads and fraudulent freight listings posted on load boards using compromised accounts. Victims receive emails with malicious URLs leading to MSI installers or executables that deploy legitimate RMM tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. These tools are used to establish persistent, stealthy remote access, bypassing traditional security detections due to their legitimate nature and signed installers. After gaining access, attackers perform network reconnaissance, deploy credential harvesters like WebBrowserPassView, and escalate privileges to manipulate logistics operations. In some cases, attackers delete legitimate bookings, block dispatcher notifications, add their own devices to dispatch systems, and book shipments under compromised identities to divert cargo. The use of legitimate RMM software reduces the need for custom malware and exploits the trust and urgency in freight negotiations, making detection challenging. This campaign shares similarities with prior attacks involving RATs and information stealers but appears to be conducted by a different threat actor. The attackers’ ability to blend into normal enterprise operations and manipulate physical supply chains highlights a sophisticated cyber-enabled theft approach targeting critical infrastructure in transportation.

For European organizations, the impact is multifaceted. Financially, stolen cargo represents direct losses, especially for high-value or perishable goods like food and beverages. Operational disruptions can cause delays, reputational damage, and loss of customer trust. The manipulation of freight bookings and dispatch systems can lead to supply chain breakdowns, affecting downstream industries and consumers. The stealthy nature of the attack, leveraging legitimate RMM tools, complicates detection and response, increasing dwell time and potential damage. Regulatory implications may arise under GDPR and supply chain security mandates if personal or sensitive data is compromised or if service disruptions affect contractual obligations. The threat also raises concerns about the resilience of European logistics infrastructure, which is critical for internal and external trade. Organizations may face increased insurance premiums and scrutiny from partners and regulators. The collaboration with organized crime suggests a high level of sophistication and persistence, indicating that affected companies could experience repeated or prolonged attacks.

European logistics and freight companies should implement multi-layered defenses tailored to this threat. First, enhance email security by deploying advanced anti-phishing solutions that detect hijacked conversations and malicious URLs, including sandboxing and URL rewriting. Second, enforce strict access controls and least privilege principles for RMM tools, including multi-factor authentication (MFA) and role-based access. Third, maintain an inventory of all RMM software in use and monitor for unauthorized installations or unusual usage patterns through endpoint detection and response (EDR) solutions. Fourth, establish robust verification protocols for freight bookings and dispatch changes, such as dual authorization or out-of-band confirmation, to prevent fraudulent orders. Fifth, conduct regular security awareness training focused on spear-phishing and social engineering tactics specific to logistics operations. Sixth, implement network segmentation to isolate critical dispatch and booking systems from general corporate networks. Finally, collaborate with law enforcement and industry groups to share threat intelligence and respond to incidents promptly. Continuous monitoring for credential harvesting tools and anomalous network reconnaissance activities is essential to detect early compromise stages.