A financially motivated risk group dubbed “Diesel Vortex” is stealing credentials from freight and logistics operators within the U.S. and Europe in phishing assaults utilizing 52 domains.
In a marketing campaign that has been operating since September 2025, the risk actor has stolen 1,649 distinctive credentials from platforms and repair suppliers vital within the freight business.
Among the Diesel Vortex victims embrace DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Digital Funds Supply (EFS).
Researchers on the typosquatting monitoring platform Have I Been Squatted uncovered the marketing campaign after discovering an uncovered repository containing an SQL database from a phishing venture that the risk actor referred to as International Revenue and marketed it to different cybercriminals underneath the title MC Revenue At all times.
The repository additionally included a file with Telegram webhook logs that exposed communications between the phishing service operators. Primarily based on the language used, the researchers consider that Diesel Vortex is an Armenian-speaking actor related to Russian infrastructure.
Have I Been Squatted’s evaluation efforts had been joined by tokenization infrastructure supplier Ctrl-Alt-Intel, which related the dots between operators, infrastructure, and connections to varied firms utilizing open-source intelligence.
In a prolonged technical report, the typosquatting safety supplier states that it uncovered almost 3,500 stolen credential pairs, with 1,649 of them being distinctive.
Supply: Have I Been Squatted
The researchers say that additionally they discovered a hyperlink to a thoughts map created by a member of the group, which describes a “extremely organised operation” full with a call-centre, mail help, programmer rols, and employees answerable for discovering drivers, carriers, and logistics contacts.
Moreover, the map supplied particulars about acquisition channels that included the DAT One market, electronic mail campaigns, charge affirmation fraud, and income for varied operational tiers.
“The [Diesel Vortex] group constructed devoted phishing infrastructure for platforms used each day by freight brokers, trucking firms, and provide chain operators. Load boards, fleet administration portals, gasoline card methods, and freight exchanges had been all in scope,” Have I Been Squatted researchers say.
“These platforms sit on the intersection of excessive transaction volumes and the focused workforce isn’t usually the first focus of enterprise safety packages, and the operators clearly knew it.”
The assaults contain sending phishing emails to targets through a phishing equipment’s mailer, utilizing Zoho SMTP and Zeptomail, and mixing Cyrilic homoglyph tips within the sender and topic fields to evade safety filters.
Voice phishing and infiltration into Telegram channels frequented by trucking and logistics personnel had been additionally used within the assaults.
When a sufferer clicks a phishing hyperlink, they land on a minimal HTML web page on a ‘.com’ area with a full-screen iframe that hundreds the phishing content material, adopted by a 9-stage cloaking course of on the system area (.prime/.icu).
The phishing pages are pixel-level clones of the focused logistics platforms. Relying on the goal, they could seize credentials, allow knowledge, MC/DOT numbers, RMIS login particulars, PINs, two-factor authentication codes, safety tokens, cost quantities, payee names, and test numbers.
Supply: Have I Been Squatted
The phishing course of is underneath the operator’s direct management, who decides when to approve steps and activate the following phases through Telegram bots.
Doable actions embrace requesting a password for Google, Microsoft Workplace 365, and Yahoo, 2FA strategies, redirecting the sufferer, and even blocking them mid-session.
Supply: Have I Been Squatted
The researchers state that the Diesel Vortex operation, together with panel and phishing domains and GitLab repositories, was disrupted following a coordinated motion involving GitLab, Cloudflare, Google Risk Intelligence, CrowdStrike, and Microsoft Risk Intelligence Heart.
For its half, Ctrl-Alt-Intel carried out an OSINT investigation ranging from operators’ Telegram chats in Armenian about stealing cargo or funds, and an electronic mail handle.
Together with a site title discovered within the phishing panel’s supply code, the researchers revealed connections to people and firms in Russia concerned in wholesale commerce, transportation, and warehousing.
The researchers famous that “the identical electronic mail recognized used to register phishing infrastructure seems in [Russian] company filings for logistics firms working in the identical vertical focused by Diesel Vortex.”
Primarily based on the uncovered proof, the researchers decided that Diesel Vortex stole credentials and additionally coordinated actions associated to freight impersonation, mailbox compromise, and double-brokering or cargo diversion.
Double brokering refers to the usage of stolen service identities to e-book hundreds after which reassigning or diverting freight cargo, which permits sending the products to fraudulent pickup factors to allow them to be stolen.
The complete indicators of compromise (IoCs), together with community, Telegram, infrastructure, electronic mail, and cryptocurrency addresses, can be found on the backside of the Have I Been Squatted report.
Trendy IT infrastructure strikes quicker than guide workflows can deal with.
On this new Tines information, learn the way your workforce can cut back hidden guide delays, enhance reliability by way of automated response, and construct and scale clever workflows on prime of instruments you already use.
