A financially motivated risk group dubbed “Diesel Vortex” is stealing credentials from freight and logistics operators within the U.S. and Europe in phishing assaults utilizing 52 domains.
In a marketing campaign that has been operating since September 2025, the risk actor has stolen 1,649 distinctive credentials from platforms and repair suppliers vital within the freight business.
A number of the Diesel Vortex victims embrace DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Digital Funds Supply (EFS).
Researchers on the typosquatting monitoring platform Have I Been Squatted uncovered the marketing campaign after discovering an uncovered repository containing an SQL database from a phishing venture that the risk actor referred to as World Revenue and marketed it to different cybercriminals underneath the title MC Revenue At all times.
The repository additionally included a file with Telegram webhook logs that exposed communications between the phishing service operators. Primarily based on the language used, the researchers consider that Diesel Vortex is an Armenian-speaking actor linked to Russian infrastructure.
Have I Been Squatted’s evaluation efforts had been joined by tokenization infrastructure supplier Ctrl-Alt-Intel, which linked the dots between operators, infrastructure, and connections to varied corporations utilizing open-source intelligence.
In a prolonged technical report, the typosquatting safety supplier states that it uncovered almost 3,500 stolen credential pairs, with 1,649 of them being distinctive.
Supply: Have I Been Squatted
The researchers say that in addition they discovered a hyperlink to a thoughts map created by a member of the group, which describes a “highly organised operation” full with a call-centre, mail assist, programmer rols, and workers chargeable for discovering drivers, carriers, and logistics contacts.
Moreover, the map offered particulars about acquisition channels that included the DAT One market, e-mail campaigns, price affirmation fraud, and income for varied operational tiers.
“The [Diesel Vortex] group built dedicated phishing infrastructure for platforms used daily by freight brokers, trucking companies, and supply chain operators. Load boards, fleet management portals, fuel card systems, and freight exchanges were all in scope,” Have I Been Squatted researchers say.
“These platforms sit at the intersection of high transaction volumes and the targeted workforce isn’t typically the primary focus of enterprise security programs, and the operators clearly knew it.”
The assaults contain sending phishing emails to targets through a phishing equipment’s mailer, utilizing Zoho SMTP and Zeptomail, and mixing Cyrilic homoglyph methods within the sender and topic fields to evade safety filters.
Voice phishing and infiltration into Telegram channels frequented by trucking and logistics personnel had been additionally used within the assaults.
When a sufferer clicks a phishing hyperlink, they land on a minimal HTML web page on a ‘.com’ area with a full-screen iframe that hundreds the phishing content material, adopted by a 9-stage cloaking course of on the system area (.prime/.icu).
The phishing pages are pixel-level clones of the focused logistics platforms. Relying on the goal, they might seize credentials, allow information, MC/DOT numbers, RMIS login particulars, PINs, two-factor authentication codes, safety tokens, cost quantities, payee names, and examine numbers.
Supply: Have I Been Squatted
The phishing course of is underneath the operator’s direct management, who decides when to approve steps and activate the following phases through Telegram bots.
Attainable actions embrace requesting a password for Google, Microsoft Workplace 365, and Yahoo, 2FA strategies, redirecting the sufferer, and even blocking them mid-session.
Supply: Have I Been Squatted
The researchers state that the Diesel Vortex operation, together with panel and phishing domains and GitLab repositories, was disrupted following a coordinated motion involving GitLab, Cloudflare, Google Menace Intelligence, CrowdStrike, and Microsoft Menace Intelligence Heart.
For its half, Ctrl-Alt-Intel performed an OSINT investigation ranging from operators’ Telegram chats in Armenian about stealing cargo or funds, and an e-mail handle.
Together with a site title discovered within the phishing panel’s supply code, the researchers revealed connections to people and corporations in Russia concerned in wholesale commerce, transportation, and warehousing.
The researchers famous that “the same email identified used to register phishing infrastructure appears in [Russian] corporate filings for logistics companies operating in the same vertical targeted by Diesel Vortex.”
Primarily based on the uncovered proof, the researchers decided that Diesel Vortex stole credentials and additionally coordinated actions associated to freight impersonation, mailbox compromise, and double-brokering or cargo diversion.
Double brokering refers to the usage of stolen provider identities to e-book hundreds after which reassigning or diverting freight cargo, which permits sending the products to fraudulent pickup factors to allow them to be stolen.
The complete indicators of compromise (IoCs), together with community, Telegram, infrastructure, e-mail, and cryptocurrency addresses, can be found on the backside of the Have I Been Squatted report.
Trendy IT infrastructure strikes quicker than guide workflows can deal with.
On this new Tines information, learn the way your group can cut back hidden guide delays, enhance reliability by means of automated response, and construct and scale clever workflows on prime of instruments you already use.
