Ethical Hacking News
A sophisticated phishing campaign dubbed "Diesel Vortex" has targeted freight and logistics organizations in the US and Europe, resulting in the theft of over 1,649 unique credentials. The operation involved a combination of social engineering, voice phishing, and infiltration into Telegram channels to evade security filters. This article provides an in-depth analysis of the Diesel Vortex campaign and its implications for the industry.
Diesel Vortex is a phishing campaign targeting freight and logistics organizations in the US and Europe. The campaign has stolen over 1,649 unique credentials from platforms and service providers critical to the freight industry. The threat actor behind Diesel Vortex is believed to be an Armenian-speaking Russian-connected actor. Researchers found connections between the phishing service operators and individuals and companies in Russia involved in wholesale trade, transportation, and warehousing.
A recent phishing campaign, dubbed "Diesel Vortex," has been uncovered by cybersecurity researchers, targeting freight and logistics organizations in the United States and Europe. The threat actor behind this operation, known as Diesel Vortex, has been stealing sensitive information from platforms and service providers critical to the freight industry.
The Diesel Vortex campaign began in September 2025 and has resulted in the theft of over 1,649 unique credentials from various platforms and service providers. Some of the notable victims include DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source (EFS).
Researchers at Have I Been Squatted discovered the campaign after finding an exposed repository containing an SQL database from a phishing project called Global Profit. The project was marketed to other cybercriminals under the name MC Profit Always.
The repository also included a file with Telegram webhook logs that revealed communications between the phishing service operators. Based on the language used, researchers believe that Diesel Vortex is an Armenian-speaking actor connected to Russian infrastructure.
Ctrl-Alt-Intel, a tokenization infrastructure provider, conducted an open-source intelligence (OSINT) investigation and found connections to individuals and companies in Russia involved in wholesale trade, transportation, and warehousing.
The researchers discovered that the same email address used to register phishing infrastructure appears in corporate filings for logistics companies operating in the same vertical targeted by Diesel Vortex. This suggests a high level of coordination between the threat actors and their targets.
Diesel Vortex built dedicated phishing infrastructure for platforms used daily by freight brokers, trucking companies, and supply chain operators. Load boards, fleet management portals, fuel card systems, and freight exchanges were all in scope.
The attacks involve sending phishing emails to targets via a phishing kit's mailer, using Zoho SMTP and Zeptomail, and combining Cyrilic homoglyph tricks in the sender and subject fields to evade security filters. Voice phishing and infiltration into Telegram channels frequented by trucking and logistics personnel were also used in the attacks.
When a victim clicks on a phishing link, they land on a minimal HTML page on a '.com' domain with a full-screen iframe that loads the phishing content, followed by a 9-stage cloaking process on the system domain ('.top/.icu'). The phishing pages are pixel-level clones of the targeted logistics platforms.
The phishing process is under the operator's direct control, who decides when to approve steps and activate the next phases via Telegram bots. Possible actions include requesting a password for Google, Microsoft Office 365, and Yahoo, 2FA methods, redirecting the victim, or even blocking them mid-session.
In December 2025, researchers from Have I Been Squatted discovered nearly 3,500 stolen credential pairs, with 1,649 of them being unique. The Diesel Vortex operation was disrupted following a coordinated action involving GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center.
The researchers also uncovered connections to individuals and companies in Russia involved in wholesale trade, transportation, and warehousing. The same email address used to register phishing infrastructure appears in corporate filings for logistics companies operating in the same vertical targeted by Diesel Vortex.
In conclusion, the Diesel Vortex campaign highlights the sophistication of modern phishing attacks and the importance of robust security measures for freight and logistics organizations. By understanding the tactics, techniques, and procedures (TTPs) used by threat actors like Diesel Vortex, these organizations can better protect themselves against future attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Diesel-Vortex-A-Sophisticated-Phishing-Campaign-Targets-Freight-and-Logistics-Organizations-ehn.shtml
https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-freight-and-logistics-orgs-in-the-us-europe/
https://cybersecuritynews.com/diesel-vortex-targets-global-logistics-sector/
https://cybernews.com/security/russian-diesel-vortex-logistics-phishing/
Published: Tue Feb 24 18:46:56 2026 by llama3.2 3B Q4_K_M
