HQ/EMEAFind out how we can help your business
Transportation and logistics companies across North America have become the latest targets of a sophisticated phishing campaign. The attackers behind this operation are deploying multiple types of information-stealing malware and remote access trojans (RATs), including Lumma Stealer, NetSupport, and StealC, in an attempt to gain access to sensitive company data.
These attacks involve compromised email accounts from legitimate transportation and shipping companies.
By infiltrating these accounts, cybercriminals are able to insert malicious content into ongoing email threads, increasing the likelihood of unsuspecting recipients engaging with harmful links or attachments. So far, 15 email accounts have been identified as compromised, although the exact method of access remains unknown.
This campaign has been evolving since May 2024. During the initial phase, the focus was on delivering Lumma Stealer, NetSupport, and StealC malware. However, by August 2024, the attackers adopted new tactics, utilising fresh infrastructure and delivery methods while also expanding their malware arsenal to include DanaBot and Arechclient2.
The malicious messages typically arrive in the form of emails containing [.]URL attachments or Google Drive links that direct the recipient to a [.]URL file. Once opened, these files use the Server Message Block (SMB) protocol to connect to a remote share and download the next-stage malware payload. In some cases, the attackers have also employed a relatively new technique called ClickFix, which deceives victims into downloading DanaBot by posing as a solution to a document display issue. The technique prompts the user to copy and paste a Base64-encoded PowerShell script into their terminal, thereby initiating the malware infection.
What makes this campaign particularly concerning is the attackers’ ability to tailor their approach to specific companies within the transportation and logistics industry. By impersonating software such as Samsara, AMB Logistic, and Astra TMS—programs commonly used for fleet operations and freight management—the cybercriminals enhance the believability of their phishing attempts.
Additionally, this campaign coincides with the rise of numerous other stealer malware strains, such as Angry Stealer, BLX Stealer, and CryptBot-related variants. The discovery of a new version of the RomCom RAT, named SnipBot, adds another layer of complexity. Distributed through phishing emails with attachments masquerading as PDFs, SnipBot allows attackers to execute commands and download modules onto the victim’s system.
While RomCom has previously been associated with ransomware, recent analysis suggests that the group behind it, known as Tropical Scorpius (or Void Rabisu), may be shifting its focus from financial crime to espionage.
