Russian phishing service targets freight & logistics

Cybersecurity researchers have uncovered a Russian-run phishing-as-a-service operation that targeted freight and logistics organisations across the United States and Europe, with more than 1,600 unique login credentials confirmed stolen.

A joint investigation by Have I Been Squatted and Ctrl-Alt-Intel found that the group, dubbed Diesel Vortex, ran the campaign for at least five months, from September 2025 to February 2026. It focused on operational systems used by brokers, carriers, and supply-chain teams, including load boards, fuel card systems, freight exchanges, and fleet management portals.

Victims included users of platforms such as DAT Truckstop, Penske Logistics, Electronic Funds Source, and Timocom. Attackers used targeted phishing and voice phishing to capture credentials and multi-factor authentication codes in real time, then moved into secondary compromises and fraud workflows.

The findings add detail to a broader shift in cybercrime towards service-style models, in which toolkits and infrastructure are packaged for reuse. Freight and logistics has become a consistent target because access to daily operational platforms can enable financial fraud, disrupted shipments, and account takeovers across partner networks.

Fraud trail

Investigators identified 35 confirmed EFS check-fraud attempts recorded in the group's backend at the time of analysis. Recovered artefacts did not allow a complete measure of downstream impact across victims, but explicit fraud records and evidence of operator-driven session control pointed to a deliberate workflow that moved from credential theft to monetisation.

A key breakthrough came from an exposed .git directory on a phishing domain, which allowed investigators to reconstruct the actor's codebase and supporting database dumps. The material provided an unusually complete view of the internal tooling and how the operation worked.

The artefacts also showed development work on a broader phishing-as-a-service platform branded internally as GlobalProfit, apparently connected to the phrase "MC Profit Always". The code reflected ongoing iteration up to the point of discovery, consistent with preparations for a wider rollout.

"Diesel Vortex is a textbook example of modern domain abuse that we're seeing increasingly these days: typosquatting at scale, rapid domain rotation, and infrastructure designed to stay online even when individual domains get flagged", said a spokesperson at Have I Been Squatted.

Operator console

The report highlights a real-time control loop that routed victim sessions through a Telegram-driven console. Within the recovered framework, operators received victim notifications in Telegram and could issue actions via inline buttons that altered the victim experience as it happened.

Actions included routing victims between modules, forcing page refreshes, redirecting victims, and adding bans or extra verification steps. The system carried out these instructions by repeatedly polling a backend endpoint, retrieving pending commands and relaying them into the phishing page. This approach let attackers adapt the phishing journey to each victim instead of relying on static lures.

Diesel Vortex also used a dual-domain architecture intended to reduce detection. One domain served as the top-level address shown in the browser, while the phishing content loaded from a second "system" domain inside an iframe. This structure can complicate enforcement based on blocklists when protections focus on top-level pages rather than embedded content.

The group also rotated domains quickly, enabling it to replace infrastructure within minutes without disrupting operator workflows.

Cloaking layers

The report describes a multi-stage cloaking funnel designed to hinder automated scanning and casual discovery. It included time-window scheduling, IP and ISP filtering, user-agent filtering, and a required URL parameter that acted as a campaign token gate. These measures made the phishing surface harder to find through generic crawling while remaining usable for targeted delivery.

Investigators also documented homoglyph techniques in lure content, including Cyrillic characters embedded in otherwise English text, which could bypass basic keyword filters. Recovered materials contained embedded Telegram references that investigators linked to operators and a broader support ecosystem.

The analysis also found indicators of a monetised service model, including crypto-linked coordination and references to subscription-style access and payment flows. The findings suggest Diesel Vortex operated as a service or platform capable of supporting multiple operators, rather than a single group running isolated campaigns.

Defence steps

The report recommends adopting phishing-resistant multi-factor authentication, such as FIDO2 or passkeys, where feasible. Diesel Vortex's real-time interception and operator steering can defeat SMS-based and TOTP-based codes, while hardware-backed, device-bound authentication does not share the same weakness.

Other measures include proactive monitoring for typosquatting against logistics brands, tighter access controls around freight and fuel portals, and rapid internal alerting when unusual sign-in patterns occur. The report highlights sign-ins that occur immediately after inbound email or phone-based support interactions as a pattern worth close attention.

The research groups also described a coordinated disruption and victim-notification effort with multiple organisations. They acknowledged assistance from Mandiant, Google Threat Intelligence, Cloudflare, GitLab, IPInfo, Ping Identity, Microsoft Threat Intelligence Centre, and CrowdStrike, alongside affected parties involved in notifications.