Threat Actor Embeds Cargo‑Theft Malware in Decoy Network for 30 Days, Targeting Logistics Load‑Board Platforms
What Happened – Proofpoint observed a known cargo‑theft malware group compromise a load‑board platform on 27 Feb 2026 and deliver a malicious Visual Basic script via phishing email. The payload installed multiple remote‑access tools (ScreenConnect, Pulseway, SimpleHelp) and used an external signing service to re‑sign binaries, allowing the actor to remain undetected in a researcher‑controlled decoy environment for over 30 days.
Why It Matters for TPRM –
- Attackers can maintain long‑term footholds in third‑party logistics SaaS, bypassing certificate revocation checks.
- Redundant remote‑management tools increase persistence, making remediation harder for client organizations.
- Supply‑chain exposure of load‑board platforms can cascade to carriers, brokers, and shippers that rely on them.
Who Is Affected – Transportation and logistics carriers, freight brokers, and any organization that integrates with third‑party load‑board services (industry = TRANS_LOG).
Recommended Actions –
- Review contracts and security controls for any load‑board or freight‑matching SaaS providers.
- Verify that remote‑access tools are whitelisted and that code‑signing certificates are regularly audited.
- Implement strict email‑attachment scanning and PowerShell execution policies to block VBS/PowerShell payloads.
Technical Notes – The intrusion began with a phishing email containing a VBS file that launched a PowerShell downloader. Four ScreenConnect instances, Pulseway RMM, and SimpleHelp RMM were installed. The actor leveraged an unknown external signing service to re‑sign a ScreenConnect installer with a fraudulent certificate, then hosted the signed binary on attacker‑controlled Amazon S3, bypassing revocation checks. Source: Help Net Security