TL;DR: A cargo theft actor was tracked inside a decoy environment for more than a month and found to maintain persistence via multiple remote access tools, plus a previously unknown signing-as-a-service capability used to keep malicious ScreenConnect installations trusted, according to Proofpoint. The pattern shows how transport fraud actors now combine remote administration abuse, trust laundering, and browser reconnaissance to extend access and target payment systems.
NHIMG editorial — based on content published by Proofpoint: LLMjacking? no, cargo theft actor post-compromise activity in a decoy environment
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
Questions worth separating out
Q: What breaks when remote support tools are allowed to persist after compromise?
A: The main failure is that legitimate administration software becomes an attacker-controlled access channel.
Q: Why do remote administration tools increase fraud and lateral movement risk?
A: They concentrate privilege, reach, and persistence in one channel, which means compromise of the tool often equals compromise of the environment it can manage.
Q: How do security teams know if signed software is being abused for persistence?
A: Look for certificate-valid installers appearing through unusual delivery paths, signing-service dependencies that do not match normal software provenance, and component replacement after initial install.
Practitioner guidance
- Inventory every remote administration tool with privileged reach Build a complete register of RMM, support, and remote control platforms, including who approved them, where they are installed, and which endpoints they can reach.
- Monitor code-signing anomalies as a control-plane signal Alert on newly signed installers, unusual signing-service usage, and binaries that change publisher or certificate lineage during a support session.
- Correlate browser artefacts with fraud-risk detections Detect searches, browsing history, and local database access involving banking, accounting, fuel-card, load-board, and payment platforms.
What's in the full report
Proofpoint’s full analysis covers the operational detail this post intentionally leaves for the source:
- The exact PowerShell and ScreenConnect execution chain used to keep access alive across multiple installs.
- The certificate-handling workflow behind the signing-as-a-service capability and the revocation response.
- The full indicator set, including the remote access infrastructure and malware hashes, for detection engineering.
- The investigation notes that distinguish transport-fraud reconnaissance from more generic endpoint compromise.
👉 Read Proofpoint’s analysis of transport fraud, trusted remote access, and signing abuse →
Signing-as-a-service abuse and transport fraud: what changes for defenders?
Explore further
Trust laundering is becoming a distinct post-compromise pattern, not just an evasion detail. The actor did not rely on one tool or one certificate. It combined remote administration, re-signed binaries, and certificate-valid installers to turn legitimate trust mechanisms into attacker infrastructure. That is a governance problem for endpoint security, privileged tooling, and software trust decisions. Practitioners should treat this as a separate control category: identity and provenance for trusted tools.
A question worth separating out:
Q: Who is accountable when remote access tools are used to support cargo theft or fraud?
A: Accountability sits with the teams that approve, own, and monitor the access path. Security, infrastructure, and application owners all share responsibility if remote support tooling can be installed, reused, or persisted without lifecycle control. Frameworks such as NIST CSF and OWASP NHI place that responsibility on governance, access management, and continuous monitoring.
👉 Read our full editorial: Cargo theft actors are laundering trust through remote access tools