North American transportation and logistics companies are currently the targets of a sophisticated phishing campaign that employs a variety of information stealers and remote access trojans (RATs). The ongoing operation, discovered by Proofpoint, uses compromised email accounts from legitimate transportation and shipping companies to inject malicious content into existing email conversations.
According to Proofpoint, the phishing campaign has been active since May 2024, utilizing as many as 15 compromised email accounts. These accounts have been used to spread malicious software such as Lumma Stealer, StealC, and NetSupport. Despite the identification of these accounts, it remains unclear how they were infiltrated or who is behind the attacks.
The attack methods evolved in August 2024, incorporating new infrastructure, delivery techniques, and additional payloads, including DanaBot and Arechclient2. The attacks typically involve emails containing internet shortcut (.URL) attachments or Google Drive URLs. These URLs lead to a .URL file that, when launched, uses the Server Message Block (SMB) protocol to download the malware from a remote server.
One notable variant observed in August 2024 utilized a technique known as ClickFix. This method tricks victims into downloading DanaBot by presenting it as a solution to a document display issue in the web browser. Users are prompted to copy and paste a Base64-encoded PowerShell script into their terminal, which then initiates the infection.
Proofpoint reports that the phishing emails have impersonated several transportation and logistics software platforms, including Samsara, AMB Logistic, and Astra TMS. These platforms are specifically used for fleet operations management, indicating that the threat actor conducts research into the target companies’ operations to craft convincing lures.
"The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company's operations before sending campaigns," Proofpoint said.
This targeted attack is occurring amid the rise of various stealer malware strains, such as Angry Stealer, BLX Stealer (also known as XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a CryptBot-related variant named Yet Another Silly Stealer (YASS).
In another development, a new version of the RomCom RAT, codenamed SnipBot, has emerged. Distributed via malicious links in phishing emails, SnipBot allows attackers to execute commands and download additional modules onto a victim's system. The malware campaign was previously highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in July 2024.
"SnipBot gives the attacker the ability to execute commands and download additional modules onto a victim's system," said Yaron Samuel and Dominik Reichel, researchers from Palo Alto Networks Unit 42.
Unlike previous versions of RomCom, which have been linked to ransomware deployments, the current campaign does not show any signs of ransomware activity. This shift suggests that the group behind the malware, known as Tropical Scorpius (also referred to as Void Rabisu), may have transitioned from purely financial motives to espionage.
The ongoing campaign against transportation and logistics companies highlights the need for heightened vigilance and robust cybersecurity measures in these sectors. Organizations are advised to implement multi-factor authentication (MFA), educate employees on recognizing phishing attempts, and regularly update and patch systems to minimize vulnerabilities.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067