Diesel Vortex phishing campaign targeting freight & logistics

Published: Fri 27 February 2026

Prepared by: Adam Skupien, Vulnerability Security Analyst

What is Happening

A financially motivated threat group designated Diesel Vortex has been targeting US and EU freight and logistics organisations with high-fidelity phishing designed to steal credentials and intercept MFA codes in real time, enabling account takeover and follow-on fraud such as invoice redirection and double-brokering/cargo diversion, as well as access to sensitive personal and commercial information and the theft of funds.

The current iteration of the campaign ran between Sep 2025 – Feb 2026, involving 52 phishing domains and resulting in the compromise of 1,649 unique credentials. A public list of compromised accounts has not been released; however, the researchers at Have I Been Squatted report that affected parties supported victim/user notification efforts, and that sensitive data (including credentials/PII) was redacted from public reporting. This campaign was uncovered by Have I Been Squatted in collaboration with Ctrl-Alt-Intel.

Who is Targeted

US and EU freight brokers, trucking companies, and supply chain operators—particularly users of common logistics platforms and services (examples cited include DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and EFS).

How it Works

• Targets receive spearphishing emails containing an “advertise” (.com) URL. Emails use spoofed personas and homoglyph tricks in sender/subject to evade filtering, and were delivered via the platform’s built-in mailer (Zoho SMTP / Zeptomail). Vishing and outreach via logistics-focused Telegram communities were also used as supporting acquisition methods.
• Dual-domain “iframe” technique: victims click a link to a “clean-looking” advertise domain (often .com) which loads the real phishing site from a separate system domain (often .top/.icu) inside a full-screen iframe—so the victim only sees the advertise domain in the address bar.
• Operator-in-the-loop phishing via Telegram: the victim’s browser polls frequently while an operator uses Telegram bots to advance steps (e.g., request password, request 2FA, redirect to Google/Microsoft/Yahoo modules).
• Evasion: use of Cyrillic homoglyphs in sender/subject/body to evade filters; mail delivery via services including Zoho SMTP and Zeptomail.
• Data captured: credentials and MFA codes; in some flows (notably EFS) additional items such as PIN/security token details and check/payment information.
• Voice phishing + social channels: reporting notes voice phishing and infiltration of logistics-focused Telegram channels were also used.

Status

Have I been Squatted report the identified panel, phishing domains, and GitLab repositories were disrupted via a coordinated takedown involving GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center, with victim notification efforts supported by affected parties.

Risk remains: stolen credentials may still be valid, and actors using this approach can re-spin new infrastructure quickly.

Recommended Actions

Prevent account takeover (highest priority)

• Use phishing-resistant MFA (FIDO2 / passkeys) for email and critical logistics platforms; avoid reliance on SMS/TOTP where feasible.
• Enforce Conditional Access on key accounts/apps: require managed/compliant devices, block or step-up challenges to risky sign-ins (new geo/ASN, impossible travel), and apply stricter rules to finance/admin actions (payment changes, MFA resets, mailbox rule changes).
• Harden email ingress: strengthen anti-phishing/impersonation controls and DMARC/DKIM/SPF posture; disable legacy authentication where applicable.
• Reduce exposure to lookalike infrastructure: block/monitor typosquatting domains and use DNS/SWG-style web filtering to prevent access to known malicious and newly registered suspicious domains.

Improve detection and hunting

• Centralise telemetry in a SIEM for correlation and alerting (at minimum: IdP sign-in/audit, email trace/audit, DNS/SWG/proxy, and endpoint logs).
• Alert/hunt for common takeover signals: unusual sign-ins, new MFA enrolment, session/token anomalies, mailbox forwarding/rules creation, and unexpected account/payment detail changes.
• Use published IOCs as a starting point: compare the IOC collection against DNS/proxy/SWG and email click logs to identify possible interaction (note: IOCs may age quickly due to churn/takedowns).

User and process controls (reduce click-to-compromise + fraud)

• Staff guidance (ops/dispatch/finance): avoid logging in via emailed links. For load/payment issues, navigate via bookmarks/typed URLs. Treat unexpected login prompts and immediate MFA requests after clicking a link as high-risk and report promptly.
• Financial controls: verify bank/payment detail changes out-of-band, and implement holds/approvals for payment instruction changes.

If you suspect exposure

• Contain: reset passwords, revoke active sessions/tokens, rotate API keys where applicable, and review/remove suspicious mailbox rules/forwarding.
• Investigate: review sign-in history and high-risk events; check for changes to payment instructions and load/dispatch activity consistent with fraud.
• Engage support: share relevant logs/IOCs with your security provider/IR team; sensitive victim data was not publicly released, and indicators were shared via trusted channels.

References

• https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-freight-and-logistics-orgs-in-the-us-europe/

• https://haveibeensquatted.com/blog/diesel-vortex-inside-the-russian-cybercrime-group-targeting-us-eu-freight