Ddos Proofpoint researchers have detailed the curtain on a sophisticated cyber-operation targeting the transportation industry, revealing a month-long masterclass in persistence and digital reconnaissance. By monitoring a threat actor inside a controlled decoy environment, experts gained “rare, extended visibility into post-compromise operations, tooling, and decision-making”. This investigation highlights a shift from simple malware delivery to a deep, operator-driven search for high-value financial and logistics targets.
The attack typically begins at the “load board,” the digital marketplace where shippers and brokers connect with motor carriers. On February 27, 2026, the actor initiated a campaign by delivering a malicious Visual Basic Script (VBS) payload via email to carriers inquiring about advertised loads.
To keep the victim unaware, the malware “displayed a decoy broker-carrier agreement to mask malicious activity” while silently executing a PowerShell script to install remote access tools. This initial breach is merely the start of an extended effort to embed the attacker within the victim’s infrastructure.
Once access is secured, the threat actor focuses heavily on maintaining a permanent presence. Over the course of a month, researchers observed the installation of four separate ScreenConnect instances, alongside Pulseway and SimpleHelp Remote Monitoring and Management (RMM) platforms.
This use of multiple concurrent tools suggests a “deliberate redundancy designed to preserve access even if one tool is detected or disabled”. By establishing these varied channels, the attacker ensures that even if a security team removes one backdoor, others remain active to sustain the intrusion.
One of the most significant findings is the use of a “previously unknown third-party signing-as-a-service capability”. This service allowed the attacker to bypass standard security warnings and trust-based controls.
The attacker submits a malware URL to an external service hosted at signer[.]bulbcentral[.]com. The service then re-signs the installers with a valid, though fraudulent, code-signing certificate—such as one issued to “STEPHEN WHANG, CPA, INC.”. By “laundering trust through an external signing service,” the attacker can replace revoked vendor-signed binaries with “clean” ones that Windows treats as trusted.
With persistence guaranteed, the actor begins a meticulous “hands-on-keyboard” reconnaissance phase. Proofpoint identified at least 13 PowerShell scripts executed to “determine whether the compromised host belonged to a financially valuable user”. These scripts are capable of enumerating local user accounts, extracting full browsing histories, and identifying hard-coded URLs associated with sensitive platforms.
The reconnaissance activity specifically targets:
- Financial Institutions: U.S. banks, money transfer services, and interbank payment systems.
- Transportation Infrastructure: “Fuel card services, fleet payment platforms, and load board operators”.
- High-Value Assets: Browser extensions and desktop cryptocurrency wallets.
The breadth of these targets “strongly aligns with financially motivated theft, fraud, and cargo diversion operations tied to transportation workflows”.
This operation demonstrates that financially motivated actors targeting transportation organizations now operate well beyond initial access. Their priority is “persistence, reconnaissance, and credential harvesting to identify opportunities for financial exploitation across transportation and related financial platforms”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
