Cargo Theft Actor Exploits Load Boards for Extended Operations

Severity: High (Score: 66.5)

Sources: Proofpoint, Feeds2.Feedburner

Summary

In late February 2026, Proofpoint researchers observed a threat actor targeting transportation organizations within a controlled decoy environment for over a month. This actor, previously linked to cargo theft and freight fraud, utilized a malicious Visual Basic Script (VBS) payload delivered via email to transportation carriers. The attack focused on compromised load board platforms, which connect shippers and freight brokers to motor carriers. The actor maintained access through multiple remote management tools, indicating a sophisticated approach to persistence and redundancy. Their reconnaissance efforts targeted financial access and transportation-related entities, suggesting plans for further crimes against the industry. This engagement provided unprecedented insights into the actor's post-compromise behavior and decision-making processes. The incident highlights ongoing vulnerabilities in the transportation sector that could facilitate significant financial fraud. Key Points: • Threat actor maintained access in a decoy environment for over a month. • Malicious VBS payload delivered via email to transportation carriers. • Actor focused on reconnaissance of financial systems and transportation entities.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• services-sc-files.s3.us (domain)
• Transportation (industry)
• Cryptocurrency Wallet Stealer (malware)
• T1021 - Remote Services (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1543.003 - Windows Service (mitre_attack)
• Windows (platform)
• 1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5 (sha256)
• Kaseya Pulseway (tool)
• ScreenConnect (tool)
• SimpleHelp Remote Access Software (tool)
• SimpleHelp Remote Administration Suite (tool)