🇷🇺 RU

Diesel Vortex

Also known asdiesel_vortex

Diesel Vortex is a financially motivated criminal threat group and phishing-as-a-service (PhaaS) operator identified in February 2026 by Have I Been Squatted and Ctrl-Alt-Intel/Ctrl-Alt-Int3l. The group targeted freight and logistics organizations in the United States and Europe, with reporting specifically citing the US, Germany, France, and Lithuania. The confirmed campaign ran from at least September 2025 through February 2026 and used 52 phishing domains to steal more than 1,600 unique credentials from users of logistics platforms including DAT Truckstop, Penske Logistics, Electronic Funds Source (EFS), TIMOCOM, Teleroute, Highway, Central Dispatch, and Girteka-related workflows. The operation used a phishing platform internally named "GlobalProfit" and marketed externally as "MC Profit Always." Reporting describes dedicated phishing infrastructure for load boards, fleet management portals, fuel card systems, and freight exchanges. The platform used a dual-domain iframe architecture, pixel-level cloned login pages, and a nine-stage cloaking process. Operators controlled victim interactions in real time through Telegram bots and webhook-driven workflows, including prompting for passwords, MFA codes, PINs, security tokens, and secondary email-provider credentials for Google, Microsoft, and Yahoo. The activity also included vishing, infiltration of trucking and logistics Telegram communities, and phishing emails sent via Zoho SMTP and Zeptomail using Cyrillic homoglyph evasion. Recovered data also showed EFS-focused check-fraud workflows and 35 attempted check-fraud cases. Recovered repository, SQL, and Telegram data described a structured criminal enterprise with roles including call-center staff, mail support, programmers, resellers, and contact-finding personnel. Researchers reported evidence of Russian-language development, Russian-language cybercrime forum sales, and Russian-linked infrastructure or corporate correlations, and assessed the actor as Russian-linked/Russian-speaking. Telegram webhook logs also showed Armenian-language coordination, indicating an Armenian-speaking operational component. The reporting does not support high-confidence nation-state attribution; Diesel Vortex is described as a criminal, financially motivated group. Known alias/designations directly mentioned in the content are Diesel Vortex, with the associated platform names GlobalProfit and MC Profit Always.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Transportation

Where they target

Geographies tied to known operations.

🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics36 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1589

Gather Victim Identity Information

T1598

Phishing for Information

T1598.003

Spearphishing Link

T1598.004

Spearphishing Voice

TA0042

Resource Development

2 techniques

T1583

Acquire Infrastructure

T1583.001×2

Domains

T1586

Compromise Accounts

TA0001

Initial Access

2 techniques

T1078×2

Valid Accounts

T1566×2

Phishing

T1566.001

Spearphishing Attachment

T1566.002×2

Spearphishing Link

T1566.003

Spearphishing via Service

T1566.004

Spearphishing Voice

TA0002

Execution

1 technique

T1059

Command and Scripting Interpreter

T1059.007

JavaScript

TA0003

Persistence

2 techniques

T1078×2

Valid Accounts

T1205

Traffic Signaling

TA0004

Privilege Escalation

1 technique

T1078×2

Valid Accounts

TA0005

Stealth

5 techniques

T1036

Masquerading

T1078×2

Valid Accounts

T1205

Traffic Signaling

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1622

Debugger Evasion

TA0006

Credential Access

2 techniques

T1056

Input Capture

T1056.001

Keylogging

T1111

Multi-Factor Authentication Interception

TA0007

Discovery

2 techniques

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1622

Debugger Evasion

TA0009

Collection

1 technique

T1056

Input Capture

T1056.001

Keylogging

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001×2

Web Protocols

T1205

Traffic Signaling

T1568

Dynamic Resolution

IOCS

Observables

51 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

51 IOCsView more in app

uri

38 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+30

Domains

11 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+3

Email addresses

2 total

••••@•••••.••••••••@••••••.•••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

bleeping computerNews

Apr 30, 2026

FBI links cybercriminals to sharp surge in cargo theft attacks

Financially motivated threat group conducting phishing campaigns against freight and logistics operators to steal credentials, supporting cyber-enabled cargo theft activity.

cert eu threat intelNews

Mar 2, 2026

CERT-EU - Cyber Brief 26-03 - February 2026

Credential-phishing against freight/logistics platforms to enable fraud and cargo diversion, disrupting supply chain operations across multiple countries.

bank info securityNews

Feb 25, 2026

Phishing Platform Targeting Trucking and Logistics Disrupted

Organized criminal group operating a phishing-as-a-service (PhaaS) platform purpose-built for the freight/trucking/logistics sector, used to steal credentials from major logistics platforms and enable downstream fraud (e.g., EFS check fraud and suspected double-brokering/cargo diversion).

bleeping computerNews

Feb 24, 2026

Phishing campaign targets freight and logistics orgs in the US, Europe

Financially motivated credential-theft and freight fraud operation targeting freight/logistics platforms. Runs large-scale phishing/typosquatting infrastructure, uses email and voice phishing plus Telegram-based operator control to steal credentials and sensitive logistics/payment data, and supports downstream fraud including freight impersonation, mailbox compromise, and double-brokering/cargo diversion.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping21

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables51

Domains, IPs, and hashes tied to this actor, refreshed continuously.