{
  "name": "Beyond the breach: inside a cargo theft actor's post-compromise playbook",
  "slug": "beyond-the-breach-inside-a-cargo-theft-actors-post-compromise-playbook",
  "description": "A cargo theft threat actor maintained access to a decoy environment for over a month, providing extensive visibility into post-compromise operations. The attacker established redundant persistence using multiple remote access tools, including four ScreenConnect instances, Pulseway RMM, and SimpleHelp RMM. A previously unknown signing-as-a-service capability was employed to evade detection by re-signing ScreenConnect installers with fraudulent code-signing certificates. Extensive reconnaissance targeted financial platforms, payment systems, cryptocurrency wallets, and transportation-specific services including fuel card providers, fleet payment platforms, and load board operators. The activity strongly aligns with financially motivated crimes against the transportation industry, including freight diversion and cargo theft operations.",
  "published": "2026-04-16T13:02:23.747000+00:00",
  "created_at": "2026-04-16T15:33:10.483000+00:00",
  "modified_at": "2026-04-16T13:33:10+00:00",
  "created_at_opencti": "2026-04-16T15:33:10.483000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "cargo theft",
    "cryptocurrency stealer",
    "freight fraud",
    "load board compromise",
    "rmm tools",
    "screenconnect",
    "signing-as-a-service",
    "transportation targeting"
  ],
  "tags": [
    "2026-04-16",
    "cargo theft",
    "cryptocurrency stealer",
    "freight fraud",
    "load board compromise",
    "rmm tools",
    "screenconnect",
    "signing-as-a-service",
    "transportation targeting"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "1b2353a8-5ccd-400d-9b7a-b463583ae0af",
        "name": "carrier-packets-docs.com"
      },
      {
        "id": "c25e6de3-a1e3-4125-9965-0d56dc786bd5",
        "name": "af124i1agga.anondns.net"
      },
      {
        "id": "9ec278be-454f-4d3e-a87d-c8adcefd72f4",
        "name": "82d603c0b387116b7effdee6f361ca982c188de0c208e681e942300a0139c03f"
      },
      {
        "id": "be673a5f-8b4e-4d68-aa74-fd8af1d67473",
        "name": "amtechcomputers.net"
      },
      {
        "id": "110e919e-ec68-4c83-a2b4-df636e9fe6e3",
        "name": "signer.bulbcentral.com"
      },
      {
        "id": "ef0e77b1-9613-482c-8199-1c5a9d3b71ed",
        "name": "de30bb1e367d8c9b8b7d5e04e5178f2758157302638f81480ba018331a6f853e"
      },
      {
        "id": "f716fccf-a2d4-4bde-a625-b07d50635b4f",
        "name": "f4977bfeae2a957add1aaf01804d2de2a5a5f9f1338f719db661ac4f53528747"
      },
      {
        "id": "dc65e242-0743-486e-b5eb-d1fa0129cdd4",
        "name": "nq251os.top"
      },
      {
        "id": "5f7d9875-96c8-4f6e-b7b2-d33d0aec8a99",
        "name": "https://carrier-packets-docs.com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs"
      },
      {
        "id": "a4fd8380-1d20-4cd0-ac32-4433272a2996",
        "name": "qto12q.top"
      },
      {
        "id": "2d0169c4-d6ae-47ac-943e-8fd110d7b491",
        "name": "7f54cf5e2beb3f1f5d2b3ba1c6a16ce1927ffecd20a9d635329b1e16cb74fb14"
      },
      {
        "id": "a80ce6c6-0d08-490e-9b34-aab46bfb59f2",
        "name": "screlay.amtechcomputers.net"
      },
      {
        "id": "2ec30653-8669-47f3-ba1b-d6923b7189cd",
        "name": "8a3d6a6870b64767ad2cc9ad4db728abf08bae84726b06be6cb97faac6c14ae4"
      },
      {
        "id": "ffb90588-54ef-499e-ae0f-8df9fc5a415f",
        "name": "d9832d9208b2c4a34cf5220b1ebaf11f0425cf638ac67bf4669b11c80e460f58"
      },
      {
        "id": "c10037a4-d20c-48ca-b430-2e262fe5b8b0",
        "name": "officcee404.com"
      },
      {
        "id": "4b1dbbe7-e3c3-402d-8202-c5a8efdafe1c",
        "name": "1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5"
      },
      {
        "id": "b84452c9-8998-4974-8628-e7bccd97d3d6",
        "name": "b861e3682ca3326d6b29561e4b11f930f4a9f10e9588a3d48b09aa6c36a8ea80"
      },
      {
        "id": "f1c21695-51eb-4f00-a021-44b5505e87e9",
        "name": "https://qto12q.top/pdf.ps1"
      },
      {
        "id": "b26124f1-606e-41f9-a46f-adba6db414bf",
        "name": "3dcb89430bae8d89b9879da192351506f4fdb7c67e253a27f58b3bf52101cd4c"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "cf746a02-00ea-419e-912d-7b03f969c491",
        "name": "T1518.001"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "0a349b00-3868-4704-8f0d-6ecdd53a287b",
        "name": "T1213.002"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "436e795b-553f-444e-b837-65818d8f539f",
        "name": "T1119"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "observables": [
      {
        "id": "a8af7df6-bc2e-4a64-8be1-61f9223f20a3",
        "name": "amtechcomputers.net"
      },
      {
        "id": "acd88766-ca62-41e5-8547-2dbb12bc159e",
        "name": "carrier-packets-docs.com"
      },
      {
        "id": "b3ff1d6d-c94b-435c-9166-ba5f04fb280f",
        "name": "nq251os.top"
      },
      {
        "id": "44a13c45-6a6c-49ba-b410-b90e0d728868",
        "name": "officcee404.com"
      },
      {
        "id": "738f05fe-d461-44c4-a029-2a716aca0537",
        "name": "qto12q.top"
      },
      {
        "id": "ec00cd27-57d5-485e-ab74-bd8d57f2f3dd",
        "name": "signer.bulbcentral.com"
      },
      {
        "id": "f43d8e2c-8ced-4074-bb32-ca11598411bf",
        "name": "screlay.amtechcomputers.net"
      },
      {
        "id": "b98c071f-8dd2-4596-a208-c6cb071ea6fa",
        "name": "af124i1agga.anondns.net"
      },
      {
        "id": "0d73ebf9-be81-4724-90b0-2cc0fbed8c98",
        "name": "https://qto12q.top/pdf.ps1"
      },
      {
        "id": "376acffa-6b9a-456c-9f16-a5f3eedf418b",
        "name": "https://carrier-packets-docs.com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs"
      },
      {
        "id": "",
        "name": "82d603c0b387116b7effdee6f361ca982c188de0c208e681e942300a0139c03f"
      },
      {
        "id": "",
        "name": "de30bb1e367d8c9b8b7d5e04e5178f2758157302638f81480ba018331a6f853e"
      },
      {
        "id": "",
        "name": "f4977bfeae2a957add1aaf01804d2de2a5a5f9f1338f719db661ac4f53528747"
      },
      {
        "id": "",
        "name": "7f54cf5e2beb3f1f5d2b3ba1c6a16ce1927ffecd20a9d635329b1e16cb74fb14"
      },
      {
        "id": "",
        "name": "8a3d6a6870b64767ad2cc9ad4db728abf08bae84726b06be6cb97faac6c14ae4"
      },
      {
        "id": "",
        "name": "d9832d9208b2c4a34cf5220b1ebaf11f0425cf638ac67bf4669b11c80e460f58"
      },
      {
        "id": "",
        "name": "1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5"
      },
      {
        "id": "",
        "name": "b861e3682ca3326d6b29561e4b11f930f4a9f10e9588a3d48b09aa6c36a8ea80"
      },
      {
        "id": "",
        "name": "3dcb89430bae8d89b9879da192351506f4fdb7c67e253a27f58b3bf52101cd4c"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Transport"
      },
      {
        "id": "",
        "name": "carrier-packets-docs.com"
      },
      {
        "id": "",
        "name": "af124i1agga.anondns.net"
      },
      {
        "id": "",
        "name": "amtechcomputers.net"
      },
      {
        "id": "",
        "name": "signer.bulbcentral.com"
      },
      {
        "id": "",
        "name": "nq251os.top"
      },
      {
        "id": "",
        "name": "qto12q.top"
      },
      {
        "id": "",
        "name": "screlay.amtechcomputers.net"
      },
      {
        "id": "",
        "name": "officcee404.com"
      }
    ]
  },
  "external_refs": [
    {
      "id": "88e67b4c-5ef1-4ead-92db-fbe1931dc2c3",
      "standard_id": "external-reference--46f2e937-2b4d-59dd-bf68-d1583ecf4c74",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69e0dddf690d636ed8ac9c40",
      "hash": null,
      "external_id": "69e0dddf690d636ed8ac9c40",
      "created": "2026-04-16T15:33:10.351Z",
      "modified": "2026-04-16T15:33:10.351Z",
      "createdById": null
    },
    {
      "id": "d1ff10fd-a247-4e7a-b68f-cdfc084a8bcc",
      "standard_id": "external-reference--4c83979a-7167-5dd1-ba9e-776ec83a9d41",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook",
      "hash": null,
      "external_id": null,
      "created": "2026-04-16T15:33:10.398Z",
      "modified": "2026-04-16T15:33:10.398Z",
      "createdById": null
    }
  ]
}