For transportation, logistics, and freight firms, these findings reinforce the importance of monitoring for unauthorized remote management tools, suspicious PowerShell activity, and abnormal browser telemetry associated w/ financial platform access.
See our blog for more details.
Their goal: to support crime and financial exploitation targeting the transportation industry, including cargo theft.
Notably, the use of a signing as a service capability underscores a growing trend toward attackers' use of legitimate trust mechanisms to evade detection.
In this case, the extended interaction revealed persistence through multiple remote management tools, the use of a previously unknown signing as a service capability designed to evade detection and suppress security warnings, and extensive post-compromise reconnaissance activity.
We previously reported on this threat actor in Nov. 2025. The group is the largest of about a dozen actors we track in this vertical.
It works with organized crime groups to compromise entities, leading to cargo freight hijacking & the theft of physical goods. www.proofpoint.com/us/blog/thre...
Email content sent after responding to a fraudulent load posted on a load board.
Proofpoint baited a cargo/transport industry threat actor into performing its malicious activities in a decoy environment operated by Deception.Pro for 30+ days.
What resulted: rare, extended visibility into post-compromise operations, tooling, & decision-making. www.proofpoint.com/us/blog/thre...
Our new Discarded podcast episode explores the stealthy world of backdoors, malware detection, and the “secret signals” threat actors use to stay hidden.
Stream now for expert insights on signature development, PCAP analysis, and countering espionage tools.
🎙️ www.proofpoint.com/us/podcasts/...
This activity shows how attackers can abuse legitimate platform features that Microsoft users rely on every day.
While mailbox rules are designed to help organize email, attackers leverage them to silently control email flow w/o alerting victims.
Our blog has example scenarios.
This tactic can be implemented with a bit of manual work and fully automated across compromised accounts, enabling scalability.
Combined with third-party services and domain spoofing, attackers hijack threads, impersonate victims & manipulate vendor comms—all without network interception.
We've seen attackers abuse mailbox rules for exfiltration, persistence, and communication manipulation.
Why? A few objectives:
• Covert data exfiltration
• Victim deception and email suppression
• Persistence without malware
• Man-in-the-middle activity
Rule creation example in Microsoft Outlook.
Have you checked your mailbox rules lately?
Proofpoint cloud threat researchers found that approx. 10% of compromised accounts in Q4-2025 had malicious mailbox rules created by threat actors shortly after initial access.
Details: www.proofpoint.com/us/blog/thre...
Here are some highlights. ⤵️
This activity sheds light on TA416’s priorities. Shifting back to targeting Europe & expanding to Middle Eastern gov'ts displays how it's likely influenced by geopolitical flashpoints and escalations.
Our blog has details on TA416 campaigns, infection chains, and infrastructure.
The group frequently altered infection chains but maintained core elements of its tradecraft, using tactics like fake Cloudflare Turnstile pages, Entra ID app abuse, and CSPROJ downloaders to deliver PlugX via DLL sideloading.
From mid-2025 to early 2026, TA416 ran web bug and malware campaigns using freemail and compromised accounts, with lures to track engagement and deliver malicious archives via cloud services.
In March 2026, after the outbreak of the Iran war, TA416 targeted Middle Eastern govt and diplomatic entities.
This was a departure from its usual focus and aligned with a broader shift by state-aligned actors to gather regional intel on the conflict’s trajectory and impact.
This renewed focus, observed since mid-2025, most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU.
The timing aligned with heightened EU–China tensions over trade, the Russia–Ukraine war, and rare earths exports.
After a lull in activity targeting Europe from mid-2023 to mid-2025, the China-aligned espionage actor #TA416 (RedDelta, Vertigo Panda, Red Lich) has resumed targeting European government and diplomatic entities, with a recent expansion to the Middle East. brnw.ch/21x1f0j
Our blog also shares recent examples from other cybercriminals delivering payloads via RMMs, credential phishing, and W-2 fraud.
While it's a popular time for these types of lures, financial-themed campaigns are effective year-round.
Educate your users and encourage vigilance.
Phishing lure impersonating the IRS delivering N-able RMM.
In the example below from 5 Feb 2026, we observed a campaign impersonating the U.S. IRS. The lure purported to relate to the target’s recent IRS filing.
IRS is a common lure theme used by criminals, as impersonating government agencies can be an effective social engineering tactic.
We've tracked examples targeting firms in the U.S., as well as Canada, Australia, Switzerland, and Japan, among others.
The most common payloads delivered via tax themes are RMMs. We've seen them deliver Datto, N-Able, RemotePC, Zoho Assist, among others.
New tactics and activity 👉 An increase in RMM payloads, activity from newly identified threat actors, and a broader variety of social engineering lures.
Same end goal 👉 To trick your users into clicking malicious links, downloading infected files, or sharing sensitive information.
Monetary concerns + federal deadlines + abundance of “time-sensitive” email advertisements. Tax season is a recipe for cybercrime.
Proofpoint researchers have seen hundreds of malicious tax-themed campaigns this year.
Read the threat brief here: brnw.ch/21x1bsT.
This is a notable adoption, as Proofpoint has not previously observed TA446 targeting iOS devices.
The targeting Proofpoint observed in the email campaigns was much wider than usual and included government, think tank, higher education, financial, and legal entities, indicating that this new capability led TA446 to attempt to use DarkSword opportunistically against a broader target set.
Proofpoint did not directly observe the iOS exploit kit delivery but believe the actor has adopted the exploit kit for the purposes of credential harvesting and intelligence collection.
Related compromised first stage domains also include motorbeylimited[.]com and bridetvstreaming[.]org. Only the activity from March 26 spoofing Atlantic Council has been linked to DarkSword usage; previous TA446 activity shows no indication of exploit use.
A submission on @URLScan (urlscan.io/result/019d2...) confirmed that the TA446-controlled domain was serving the DarkSword exploit kit, including the initial redirector, exploit loader, RCE, and PAC bypass components. The sandbox escapes were not observed.
A DarkSword loader uploaded to VirusTotal (MD5: 5fa967dbef026679212f1a6ffa68d575) referenced escofiringbijou[.]com, a TA446 second-stage domain independently observed by Proofpoint, corroborating the group's use of DarkSword.
New reports on TA446 using the DarkSword iOS exploit kit were intriguing. The DarkSword iOS exploit kit was recently published on GitHub, but Proofpoint had not yet observed it in use in the wild.
The activity on March 26 was a similar spike, but with links instead of attachments. Proofpoint automated analysis was redirected to a benign decoy PDF, likely because of server-side filtering to only redirect iPhone browsers to the exploit kit.
The volume of emails from TA446 has been significantly higher over the last 2 weeks compared to normal operational tempo delivering the MAYBEROBOT backdoor via password-protected ZIP files.