Date: 04/21/2026
Severity: High
Summary
The team tracked a cargo theft threat actor’s post-compromise activity for over a month within a decoy environment run by Deception.pro. The attacker used multiple remote access tools to maintain persistence, including a previously unknown signing-as-a-service capability. Extensive reconnaissance was conducted to locate financial access points, payment systems, and cryptocurrency assets. This activity appeared aimed at enabling freight fraud and wider financial theft operations. Targeting of fuel card services, fleet payment platforms, and load boards suggests preparation for transportation-related crimes like cargo theft.
Indicators of Compromise (IOC) List
Domains/URLs : | https://carrier-packets-docs.com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs https://qto12q.top/pdf.ps1 nq251os.top officcee404.com af124i1agga.anondns.net screlay.amtechcomputers.net signer.bulbcentral.com services-sc-files.s3.us-east-2.amazonaws.com |
IP Address : | 147.45.218.0 |
Hash : | 1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5
f4977bfeae2a957add1aaf01804d2de2a5a5f9f1338f719db661ac4f53528747
d9832d9208b2c4a34cf5220b1ebaf11f0425cf638ac67bf4669b11c80e460f58
7f54cf5e2beb3f1f5d2b3ba1c6a16ce1927ffecd20a9d635329b1e16cb74fb14
de30bb1e367d8c9b8b7d5e04e5178f2758157302638f81480ba018331a6f853e
b861e3682ca3326d6b29561e4b11f930f4a9f10e9588a3d48b09aa6c36a8ea80
82d603c0b387116b7effdee6f361ca982c188de0c208e681e942300a0139c03f
8a3d6a6870b64767ad2cc9ad4db728abf08bae84726b06be6cb97faac6c14ae4
3dcb89430bae8d89b9879da192351506f4fdb7c67e253a27f58b3bf52101cd4c
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "services-sc-files.s3.us-east-2.amazonaws.com" or url like "services-sc-files.s3.us-east-2.amazonaws.com" or siteurl like "services-sc-files.s3.us-east-2.amazonaws.com" or domainname like "screlay.amtechcomputers.net" or url like "screlay.amtechcomputers.net" or siteurl like "screlay.amtechcomputers.net" or domainname like "af124i1agga.anondns.net" or url like "af124i1agga.anondns.net" or siteurl like "af124i1agga.anondns.net" or domainname like "officcee404.com" or url like "officcee404.com" or siteurl like "officcee404.com" or domainname like "nq251os.top" or url like "nq251os.top" or siteurl like "nq251os.top" or domainname like "signer.bulbcentral.com" or url like "signer.bulbcentral.com" or siteurl like "signer.bulbcentral.com" or domainname like "https://carrier-packets-docs.com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs" or url like "https://carrier-packets-docs.com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs" or siteurl like "https://carrier-packets-docs.com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs" or domainname like "https://qto12q.top/pdf.ps1" or url like "https://qto12q.top/pdf.ps1" or siteurl like "https://qto12q.top/pdf.ps1" |
Detection Query 2 : | dstipaddress IN ("147.45.218.0") or srcipaddress IN ("147.45.218.0") |
Detection Query 3 : | sha256hash IN ("b861e3682ca3326d6b29561e4b11f930f4a9f10e9588a3d48b09aa6c36a8ea80","8a3d6a6870b64767ad2cc9ad4db728abf08bae84726b06be6cb97faac6c14ae4","de30bb1e367d8c9b8b7d5e04e5178f2758157302638f81480ba018331a6f853e","3dcb89430bae8d89b9879da192351506f4fdb7c67e253a27f58b3bf52101cd4c","1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5","f4977bfeae2a957add1aaf01804d2de2a5a5f9f1338f719db661ac4f53528747","82d603c0b387116b7effdee6f361ca982c188de0c208e681e942300a0139c03f","7f54cf5e2beb3f1f5d2b3ba1c6a16ce1927ffecd20a9d635329b1e16cb74fb14","d9832d9208b2c4a34cf5220b1ebaf11f0425cf638ac67bf4669b11c80e460f58")
|
Reference:
https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook