Freight Hacker Wields Code-Signing Service to Evade Defenses

Proofpoint researchers uncovered a financially motivated cybercriminal group targeting freight and logistics companies via phishing that delivers VBS and PowerShell payloads to install RMM tools (SimpleHelp, Pulseway, ConnectWise ScreenConnect) for remote control, credential theft and cargo diversion. The actors notably used a third-party code-signing service to fraudulently sign ScreenConnect installers (domains observed: amtechcomputers.net, signer.bulbcentral.com) to evade defenses, and deployed multiple scripts to enumerate accounts, collect browsing/banking data, and exfiltrate to attacker-controlled Telegram bots.