Threat actors are compromising email accounts at transportation and shipping organizations in North America to deliver various malware families, Proofpoint reports.

Starting May 2024, threat actors have been observed injecting malicious content into existing conversations within the compromised inboxes, to deliver malware such as Arechclient2, DanaBot, Lumma Stealer, NetSupport, and StealC.

Most attacks rely on Google Drive links or URL files as attachments that run a malicious payload to fetch an executable from a remote share and install malware, the cybersecurity firm says.

To date, the attackers have compromised roughly 15 email addresses, typically injecting fewer than 20 messages targeting a small number of transportation and logistics companies.

Proofpoint has seen the threat actors impersonating software typically used for transport and fleet operations management, such as Samsara, AMB Logistic, and Astra TMS.

According to the cybersecurity firm, while the observed techniques have been used by other adversaries in previous attacks, it is likely that the threat actor behind this campaign “is purchasing this infrastructure from third party providers”.

“Based on the observed initial access activity, malware delivery, and infrastructure, Proofpoint assesses with moderate confidence the activity aligns with financially motivated, cybercriminal objectives,” the company says.

Proofpoint recommends that organizations in the transport and logistics sector exercise caution when encountering emails from known senders that deviate from the normal communication patterns and content, especially when they contain suspicious links and files.

The same applies to individuals working in other industries as well. When encountering suspicious emails, users should contact the sender to verify their authenticity.

“Threat actors are developing more sophisticated social engineering and initial access techniques across the delivery attack chain while relying more on commodity malware rather than complex and unique malware payloads,” Proofpoint notes.

Related: New ‘Hadooken’ Linux Malware Targets WebLogic Servers

Related: Self-Spreading PlugX USB Drive Malware Plagues Over 90k IP Addresses

Related: Thousands of Systems Turned Into Proxy Exit Nodes via Malware

Related: Dozens of ‘Luca Stealer’ Malware Samples Emerge After Source Code Made Public