Blog
Threat Insight
Beyond the breach: inside a cargo theft actor’s post-compromise playbook
Zero Trust Networks

Beyond the breach: inside a cargo theft actor’s post-compromise playbook

Share with your network!
The Proofpoint Threat Research Team

Key findings

  • Proofpoint monitored a cargo theft actor’s post‑compromise activity for more than a month in a decoy environment operated by Deception.pro. 
  • The attacker abused multiple remote access tools to establish persistence, including the use of a previously unknown third‑party signing‑as‑a‑service capability. 
  • Proofpoint also observed extensive reconnaissance to identify financial access, payment platforms, and cryptocurrency assets to enable freight fraud and broader financial theft. 
  • Reconnaissance specifically targeting fuel card services, fleet payment platforms, and load board operators was likely intended to enable transportation‑related crimes, including cargo theft. 

Overview 

In late February 2026, Proofpoint researchers executed a malicious payload from a threat actor targeting transportation organizations inside a controlled decoy environment operated by our partners at Deception.pro. While the environment did not represent a transportation carrier, it remained compromised for more than a month—offering rare, extended visibility into post‑compromise operations, tooling, and decision‑making. 

Proofpoint previously documented this actor’s campaigns against trucking and logistics companies to facilitate cargo theft and freight fraud. In this case, the extended interaction revealed persistence through multiple remote management tools, the use of a previously unknown signing‑as‑a‑service capability designed to evade detection and suppress security warnings, and extensive post-compromise reconnaissance activity.  

This reconnaissance focused on identifying financial access—such as banking, accounting, tax software, and money transfer services—as well as transportation‑related entities, including fuel card services, fleet payment platforms, and load board operators. The latter activity was likely designed to support crimes against the transportation industry, including cargo theft and related financial fraud. 

A familiar actor, a new view 

In November 2025, Proofpoint published research describing a threat actor leveraging compromised load boards to gain access to trucking companies, enabling freight diversion and cargo theft. While that research focused on initial access and target impact, opportunities to observe the actor’s post-compromise operations were limited.  

This engagement changed that. 

Following payload execution inside the Deception.pro environment in late February, the actor maintained access for more than a month. Their ensuing activity provided Proofpoint researchers with an unusually detailed view of post‑compromise tooling, scripting, reconnaissance behavior, and operator‑driven decision‑making. 

Initial access and payload delivery 

On February 27, 2026, after compromising a load board platform, the actor delivered a malicious payload via email to transportation carriers inquiring about fraudulent advertised loads. Load board platforms are online marketplaces that connect shippers and freight brokers with motor carriers by advertising available loads.  The payload consisted of a Visual Basic Script (VBS) file that, when executed: 

  1. Downloaded and executed a PowerShell script 
  2. Installed the ScreenConnect remote access tool 
  3. Displayed a decoy broker‑carrier agreement to mask malicious activity 

Figure 1

Figure 1. Email content sent after responding to a fraudulent load posted on a load board. 

Figure 2

Figure 2. Actor-controlled web page hosting a malicious VBS payload. 

Establishing persistence with multiple RMM tools 

Once access was established, the actor focused heavily on remote administration and redundancy. 

Over the following month, the actor leveraged existing access to install: 

  • Four separate ScreenConnect instances 
  • Pulseway Remote Monitoring and Management (RMM) 
  • SimpleHelp RMM 

The use of multiple concurrent RMM platforms suggests deliberate redundancy designed to preserve access even if one tool is detected or disabled. 

A previously unknown signing‑as‑a‑service capability 

The fourth ScreenConnect instance, downloaded in late March, stood apart from earlier installations. 

This installation chain began when the attacker used an existing ScreenConnect session to launch an initial PowerShell script. That script bypassed normal PowerShell controls, downloaded and executed a second‑stage PowerShell payload with parameters specific to the ScreenConnect installer, and then deleted itself to reduce forensic artifacts. The second‑stage script performed the core deployment using a third‑party signing‑as‑a‑service provider, which re‑signed ScreenConnect installers and components with a valid—but fraudulent—code‑signing certificate. 

Specifically, the second‑stage script:  

  • Built a ScreenConnect MSI download URL from the attacker’s ScreenConnect infrastructure hosted at amtechcomputers[.]net. 
  • Submitted that MSI URL to an external signing service hosted at signer[.]bulbcentral[.]com 
  • Polled the service until signing was completed 
  • Downloaded the newly signed MSI from a separate, signer‑controlled URL hosted at services-sc-files.s3.us-east-2.amazonaws[.]com 
  • Verified that the MSI’s Authenticode signature was valid 
  • Silently installed the signed MSI on the system 

After installation, the script optionally downloaded a ZIP archive from the same S3 infrastructure. This ZIP contained ScreenConnect component binaries (e.g., ScreenConnect.Client.exe) re‑signed with the same certificate used for the MSI. The script extracted these files and replaced the originally installed components—backing up existing files, stopping and restarting the ScreenConnect service as needed. This step eliminated ScreenConnect binaries signed with now‑revoked ConnectWise certificates and ensured that all installed components were uniformly signed with a certificate that Windows still treated as trusted. 

In combination, these actions allowed the attacker to establish and maintain persistent remote access while actively circumventing certificate revocations, security warnings, and trust‑based endpoint controls. By laundering trust through an external signing service and replacing revoked vendor‑signed binaries, the attacker preserved long‑term, stealthy access and reduced the likelihood of user awareness or control‑based detection. 

Proofpoint researchers collaborated with security researcher @Squiblydoo to analyze the signing service and successfully revoke the associated certificate: 

SignerName: STEPHEN WHANG, CPA, INC. 

ValidFrom 5:00 PM 12/23/2025 
ValidTo 4:59 PM 12/24/2026 
SerialNumber 38 4B 49 3A B7 6F AE 54 F8 3A E6 BF A8 7E 5C 10 
Thumbprint D45D60B20006BC3A39AE1761CB5F5F5B067B4EE5 
CertIssuer Sectigo Public Code Signing CA EV R36 

Interactive hands-on-keyboard (HOK) post-compromise activity 

With persistent access in place, the actor conducted hands‑on-keyboard activity and tooling execution: 

  • Approximately three days after intrusion, the actor manually accessed the PayPal website through the user’s browser. 
  • Eight days into the intrusion, the actor used ScreenConnect to execute a PyInstaller‑packed binary designed to scan for browser extension and desktop cryptocurrency wallets and exfiltrate positive findings to attacker‑controlled Telegram bots. 

These actions indicate discretionary, operator‑driven targeting rather than purely automated malware execution. 

Reconnaissance through PowerShell automation 

During the intrusion, Proofpoint observed at least 13 PowerShell scripts executed by the threat actor which, collectively, focused on determining whether the compromised host belonged to a financially valuable user. 

Script Capabilities: 

  • Enumerate all local user accounts and browser profiles 
  • Extract browsing history from Chrome, Edge, Firefox, and Chromium‑based variants 
  • Copy locked browser databases to temporary locations 
  • Identify hard‑coded URLs associated with banking, payments, logistics, fleet services, and accounting platforms 
  • Exfiltrate metadata—such as hostname, browser type, profile counts, and match frequency—to attacker‑controlled Telegram bots 

This telemetry provides the actor with rapid insight into a victim’s financial authority, payment access, and business role. 

Consistent behaviors across scripts 

Across multiple scripts, Proofpoint identified consistent behaviors: 

  • Scanning browser history across all user profiles 
  • Querying SQLite databases and performing binary pattern matching 
  • Searching for access to specific logistics, payment, and financial services 
  • Storing artifacts in hidden directories (e.g., C:\H) 
  • Executing successfully under SYSTEM context 
  • Sending summary results to Telegram for operator review 
  • In one instance, creating delayed SYSTEM scheduled tasks to evade proxy controls 

The scripts searched for indicators of access to the following platforms, among others: 

  • U.S. financial institutions and banks 
  • Money transfer services 
  • Online accounting platforms 
  • Interbank payment systems 
  • Fleet fuel card and payment providers 
  • Freight brokerage and load management platforms 

The breadth of these targets strongly aligns with financially motivated theft, fraud, and cargo diversion operations tied to transportation workflows. In particular, targeting of fuel card services, fleet payment platforms, and freight brokerage systems indicates intent to enable crimes against the transportation industry, including freight diversion and cargo theft. 

A final PowerShell script 

In late March, the attacker ran an additional PowerShell script through ScreenConnect’s custom property feature to quietly collect endpoint intelligence and report it back to the attacker through the existing remote‑access channel. It enumerated installed antivirus software and checked for the presence of high‑value financial, tax, accounting, and cryptocurrency applications. The results were automatically returned to the attacker’s ScreenConnect console without generating separate network traffic or alerts. 

Conclusion 

This extended intrusion highlights how financially motivated threat actors targeting transportation organizations operate well beyond initial access, prioritizing persistence, reconnaissance, and credential harvesting to identify opportunities for financial exploitation across transportation and related financial platforms. Portions of this activity are also consistent with preparatory behavior observed in freight theft and cargo diversion operations. 

Notably, the use of a signing‑as‑a‑service capability underscores a growing trend toward attacker use of legitimate trust mechanisms to evade detection. 

For transportation, logistics, and freight organizations, these findings reinforce the importance of monitoring for unauthorized remote management tools, suspicious PowerShell activity, and abnormal browser telemetry associated with financial platform access. 

Emerging Threats signatures 

2049863 - SimpleHelp Remote Access Software Activity 

2049805 - Simplehelp Remote Administration Suite HTTP Server Value in Response 

2066799 - Kaseya Pulseway Domain in DNS Lookup (pulseway .s3-accelerate .amazonaws .com) 

2066797 - Kaseya Pulseway RMM Domain in DNS Lookup (pulseway .com) 

2066798 - Observed Kaseya Pulseway Domain (pulseway .com) in TLS SNI 

2066800 - Observed Kaseya Pulseway Domain (pulseway .s3-accelerate .amazonaws .com) in TLS SNI 

Indicators of compromise* 

*First Uploaded to VirusTotal by Proofpoint 

Indicator 

Description 

First Seen 

1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5 

SHA256 

VBS Payload 

2026-02-27 

hxxps://carrier-packets-docs[.]com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs 

URL 

VBS Staging 

2026-02-27 

hxxps://qto12q[.]top/pdf.ps1 

URL 

PowerShell Staging 

2026-02-27 

f4977bfeae2a957add1aaf01804d2de2a5a5f9f1338f719db661ac4f53528747 

SHA256 

ScreenConnect 

2026-02-27 

nq251os[.]top 

Domain 

ScreenConnect C2 

2026-02-27 

d9832d9208b2c4a34cf5220b1ebaf11f0425cf638ac67bf4669b11c80e460f58 

SHA256 

Pulseway RMM 

2026-02-27 

7f54cf5e2beb3f1f5d2b3ba1c6a16ce1927ffecd20a9d635329b1e16cb74fb14* 

SHA256 

ScreenConnect 

2026-02-27 

officcee404[.]com 

Domain 

ScreenConnect C2 

2026-02-27 

de30bb1e367d8c9b8b7d5e04e5178f2758157302638f81480ba018331a6f853e* 

SHA256 

ScreenConnect 

2026-02-28 

af124i1agga.anondns[.]net 

Hostname 

ScreenConnect C2 

2026-02-28 

b861e3682ca3326d6b29561e4b11f930f4a9f10e9588a3d48b09aa6c36a8ea80 

SHA256 

SimpleHelp 

2026-02-28 

147.45.218[.]0 

Domain 

SimpleHelp C2 

2026-02-28 

82d603c0b387116b7effdee6f361ca982c188de0c208e681e942300a0139c03f 

SHA256 

Cryptocurrency Wallet Stealer 

2026-03-07 

8a3d6a6870b64767ad2cc9ad4db728abf08bae84726b06be6cb97faac6c14ae4* 

SHA256 

ScreenConnect 

2026-03-24 

screlay[.]amtechcomputers[.]net 

Hostname 

ScreenConnect C2 

2026-03-24 

3dcb89430bae8d89b9879da192351506f4fdb7c67e253a27f58b3bf52101cd4c* 

PowerShell Script 

Signing Service 

2026-03-24 

signer.bulbcentral[.]com 

Hostname 

Signing Service 

2026-03-24 

services-sc-files.s3.us-east-2.amazonaws[.]com 

Hostname 

Signing Service 

2026-03-24 

 

Previous Blog Post