New Phishing Campaign Targets North American Transportation and Logistics Firms A sophisticated phishing campaign is targeting transportation and logistics companies across North America, delivering information stealers and remote access trojans (RATs) via compromised legitimate email accounts. Security firm Proofpoint identified the activity, which leveraged at least 15 breached accounts from shipping and transportation firms between May and August 2024. The campaign initially distributed Lumma Stealer, StealC, and NetSupport but shifted tactics in August, introducing new infrastructure and payloads DanaBot and Arechclient2. Attackers used internet shortcut (.URL) attachments or Google Drive links leading to malicious files, which exploited Server Message Block (SMB) to fetch malware from remote servers. Some August variants employed ClickFix, a technique tricking victims into executing a Base64-encoded PowerShell script under the guise of fixing browser document display issues. The phishing lures impersonated industry-specific software, including Samsara, AMB Logistic, and Astra TMS, suggesting attackers conducted prior research on targeted companies. The shift in payloads and techniques indicates an evolving threat landscape. Separately, researchers at Palo Alto Networks Unit 42 uncovered a new version of RomCom RAT (SnipBot), a successor to PEAPOD (RomCom 4.0), distributed via phishing emails with malicious PDFs or disguised executables. SnipBot, previously linked to the Tropical Scorpius (Void Rabisu) threat group, now includes 27 commands, enabling file manipulation, process enumeration, SOCKS proxy setup, and data exfiltration. While past RomCom infections involved ransomware, recent activity suggests a potential pivot toward espionage rather than financial motives. The campaigns highlight the growing sophistication of cyber threats targeting critical supply chain sectors.