Researchers from Proofpoint, a global cybersecurity and regulatory compliance company, have uncovered ongoing attacks against the logistics and road transport sector. Cybercriminals are leveraging legitimate remote monitoring and management (RMM) tools to hijack shipments, steal physical goods, and infiltrate supply chains.
Attackers infiltrate logistics networks by using stolen credentials to bid on legitimate cargo shipments. Once accepted, they reroute or steal the goods, which are often resold online or shipped overseas. These incidents have caused substantial financial losses and widespread disruption across critical supply chains.
How the Attacks Unfold
Proofpoint researchers observed multi-stage attack chains beginning with account compromise and email thread hijacking. After gaining access, attackers impersonate carriers or brokers by inserting malicious data into legitimate shipping communications. When a carrier responds, victims are lured into downloading malicious attachments or links that deploy RMM software for persistence and control.
Tools abused in these attacks include ScreenConnect, SimpleHelp, and PDQ Connect. Once installed, these programs allow attackers to maintain remote access while blending in with normal operational software, making detection difficult. Proofpoint’s investigation confirms that threat actors are increasingly relying on legitimate RMM solutions as first-stage payloads in modern cybercrime.
“The boundaries between cybercrime and physical theft are blurring, with attackers exploiting increasingly digitalised supply chains for massive economic gain,” noted Proofpoint threat researchers.
Campaigns and Global Impact
As of August 2025, Proofpoint has tracked nearly two dozen malicious campaigns targeting both small family-owned carriers and major transportation firms. While many incidents have occurred in the United States, the trend has extended globally, with particularly severe effects in the food and beverage logistics sector.
Researchers suggest that the attackers demonstrate in-depth knowledge of logistics software and operational processes, exploiting trust within interconnected digital supply chains. The digital transformation of logistics networks — driven by automation and real-time tracking — has unintentionally widened the attack surface.
Cybercriminals exploit these systems to move laterally, gather intelligence on deliveries, and coordinate theft with precision. In many cases, malicious remote tools allow continuous surveillance of internal systems, enabling attackers to manipulate delivery schedules or intercept cargo information in real time.
Recommended Defences
Proofpoint advises logistics and transportation organisations to restrict unauthorised RMM software across all systems, reinforce endpoint protection policies, and deploy behavioural monitoring to detect unusual remote-access activity. Employee training is also critical to recognise and report social engineering attempts that often initiate these attacks.
- Block or restrict use of unapproved remote access tools.
- Harden email systems against thread hijacking and phishing.
- Monitor for abnormal remote connections or session persistence.
- Conduct staff awareness training focused on social engineering in logistics workflows.
As logistics and supply chains become more digitally interconnected, the line between cyber and physical threats continues to blur. Preventing RMM abuse and improving human vigilance remain key defences against the growing wave of attacks merging digital compromise with real-world theft.