Malware & Threats

US Transportation and Logistics Firms Targeted With Infostealers, Backdoors

A malicious campaign is targeting transportation and logistics organizations in North America with various malware families.

A malicious campaign is targeting transportation and logistics organizations in North America with various malware families.

Threat actors are compromising email accounts at transportation and shipping organizations in North America to deliver various malware families, Proofpoint reports.

Starting May 2024, threat actors have been observed injecting malicious content into existing conversations within the compromised inboxes, to deliver malware such as Arechclient2, DanaBot, Lumma Stealer, NetSupport, and StealC.

Most attacks rely on Google Drive links or URL files as attachments that run a malicious payload to fetch an executable from a remote share and install malware, the cybersecurity firm says.

To date, the attackers have compromised roughly 15 email addresses, typically injecting fewer than 20 messages targeting a small number of transportation and logistics companies.

Proofpoint has seen the threat actors impersonating software typically used for transport and fleet operations management, such as Samsara, AMB Logistic, and Astra TMS.

According to the cybersecurity firm, while the observed techniques have been used by other adversaries in previous attacks, it is likely that the threat actor behind this campaign “is purchasing this infrastructure from third party providers”.

Advertisement. Scroll to continue reading.

“Based on the observed initial access activity, malware delivery, and infrastructure, Proofpoint assesses with moderate confidence the activity aligns with financially motivated, cybercriminal objectives,” the company says.

Proofpoint recommends that organizations in the transport and logistics sector exercise caution when encountering emails from known senders that deviate from the normal communication patterns and content, especially when they contain suspicious links and files.

The same applies to individuals working in other industries as well. When encountering suspicious emails, users should contact the sender to verify their authenticity.

“Threat actors are developing more sophisticated social engineering and initial access techniques across the delivery attack chain while relying more on commodity malware rather than complex and unique malware payloads,” Proofpoint notes.

Related: New ‘Hadooken’ Linux Malware Targets WebLogic Servers

Related: Self-Spreading PlugX USB Drive Malware Plagues Over 90k IP Addresses

Related: Thousands of Systems Turned Into Proxy Exit Nodes via Malware

Related: Dozens of ‘Luca Stealer’ Malware Samples Emerge After Source Code Made Public

Related Content

Malware & Threats

The new macOS malware has targeted at least 100 users to steal their passwords and cryptocurrency. 

Endpoint Security

Bitdefender researchers show how Windows bind links can create conflicting filesystem views to hide malware from endpoint security products.

Malware & Threats

The backdoor’s destructive capabilities include a standalone wiper, ransomware encryption, and a multi-pass wiping command.

Malware & Threats

A Go module is used to load PowerShell code that fetches a resolver from public dead drops to execute Windows malware.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

Malware & Threats

Turla has been using the backdoor against government and military organizations in Ukraine for espionage.

Cybercrime

Hundreds of C&C servers were disrupted in an operation involving law enforcement and several cybersecurity companies.

Malware & Threats

Mistic is used by Woodgnat, an initial access broker working with Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version