Beyond the breach: inside a cargo theft actor's post-compromise playbook
Essential information
- Published
- 16/04/2026 15:02
- Modified
- 16/04/2026 15:33
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cargo theft cryptocurrency stealer freight fraud load board compromise rmm tools screenconnect signing-as-a-service transportation targeting
- Tags
- 2026-04-16 cargo theft cryptocurrency stealer freight fraud load board compromise rmm tools screenconnect signing-as-a-service transportation targeting
- Related entities
- 19 indicators, 19 observables, 24 techniques (mitre), 10 others
Description
A cargo theft threat actor maintained access to a decoy environment for over a month, providing extensive visibility into post-compromise operations. The attacker established redundant persistence using multiple remote access tools, including four ScreenConnect instances, Pulseway RMM, and SimpleHelp RMM. A previously unknown signing-as-a-service capability was employed to evade detection by re-signing ScreenConnect installers with fraudulent code-signing certificates. Extensive reconnaissance targeted financial platforms, payment systems, cryptocurrency wallets, and transportation-specific services including fuel card providers, fleet payment platforms, and load board operators. The activity strongly aligns with financially motivated crimes against the transportation industry, including freight diversion and cargo theft operations.