ScreenConnect and NetSupport abuse for freight cargo hijacking
Malware Activity
Summary
Hide ▲
Show ▼
Malicious deployment of ScreenConnect, NetSupport, and related RMM tools is giving attackers remote control over freight-broker and trucking carrier systems, enabling credential theft and cargo diversion. The activity has been observed since January and is part of nearly two dozen campaigns since August. Attackers use malicious links and emails, compromised accounts, and installer files to gain access and hijack shipment workflows.
Related Happenings
VENOMOUS#HELPER phishing campaign using RMM tools
Campaign
First: 04.05.2026 21:06
Last: 04.05.2026 21:06
Sources 1
About this happening:
An active **VENOMOUS#HELPER** phishing campaign is using legitimate **RMM software** to establish **persistent remote access** to compromised hosts, putting **over 80 organization...
VENOMOUS#HELPER phishing campaign using RMM tools
CampaignAbout this happening: An active **VENOMOUS#HELPER** phishing campaign is using legitimate **RMM software** to establish **persistent remote access** to compromised hosts, putting **over 80 organization...
Latest development: 05.05.2026 17:00
Securonix found the Venomous#Helper phishing campaign using emails impersonating the US Social Security Administration to send victims to gruta[.]com.mx, which served an SSA-branded harvesting page before redirecting to payload delivery from a separate compromised cPanel account. The campaign pairs a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay, and the downloaded JWrapper-packaged binary was signed by SimpleHelp Ltd with a valid Thawte certificate. In a one-hour observation, Securonix recorded 986 background process-creation events and WMIC execution through a renamed wmic.exe.bak copy to evade EDR rules.
Cyber-enabled cargo theft is surging across transportation and logistics in 2025
Target Trend
First: 30.04.2026 19:32
Last: 30.04.2026 19:32
Sources 1
How related:
Threat actors are targeting freight brokers and trucking carriers with malicious links and emails to deploy remote monitoring and management tools (RMMs) that enable them to hijack cargo and steal physical goods.
About this happening:
**Cyber-enabled cargo theft** is surging across **transportation and logistics**, driving nearly **$725 million** in estimated losses in the **U.S. and Canada** and materially inc...
Cyber-enabled cargo theft is surging across transportation and logistics in 2025
Target TrendHow related: Threat actors are targeting freight brokers and trucking carriers with malicious links and emails to deploy remote monitoring and management tools (RMMs) that enable them to hijack cargo and steal physical goods.
About this happening: **Cyber-enabled cargo theft** is surging across **transportation and logistics**, driving nearly **$725 million** in estimated losses in the **U.S. and Canada** and materially inc...
Tax-season credential phishing and RMM malware campaign
Campaign
First: 30.03.2026 18:00
Last: 30.03.2026 18:00
Sources 1
About this happening:
A **tax-themed** cyber campaign is using **credential phishing**, **remote monitoring and management (RMM) tools**, and **fraud lures** to target people handling **financial data*...
Tax-season credential phishing and RMM malware campaign
CampaignAbout this happening: A **tax-themed** cyber campaign is using **credential phishing**, **remote monitoring and management (RMM) tools**, and **fraud lures** to target people handling **financial data*...
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
North American trucking and logistics RMM social-engineering campaign
Campaign
First: 03.11.2025 17:00
Last: 03.11.2025 17:00
Sources 1
About this happening:
**North American trucking and logistics companies** are facing an active **social-engineering campaign** that uses fraudulent freight lures, email thread hijacking, and malicious...
North American trucking and logistics RMM social-engineering campaign
CampaignAbout this happening: **North American trucking and logistics companies** are facing an active **social-engineering campaign** that uses fraudulent freight lures, email thread hijacking, and malicious...
Timeline
-
03.11.2025 18:46 2 articles · 6mo ago
Proofpoint tracks RMM abuse against freight brokers and trucking carriers
Initial DisclosureProofpoint says threat actors are using malicious links and emails to target freight brokers and trucking carriers, then installing RMM tools such as NetSupport and ScreenConnect to gain remote control, harvest credentials, and hijack dispatch workflows for cargo theft. The activity was tracked to June, with evidence of similar campaigns since January and nearly two dozen campaigns recorded since August, mostly against North American entities but also in Brazil, Mexico, India, Germany, Chile, and South Africa.
Show sources
- Hackers use RMM tools to breach freighters and steal cargo shipments — www.bleepingcomputer.com — 03.11.2025 18:46
- Hackers use RMM tools to breach freighters and steal cargo shipments — www.bleepingcomputer.com — 03.11.2025 18:46