A financially motivated threat actor known as Zestix, also operating under the alias Sentap, has been linked to the sale of stolen data from nearly 50 major organizations worldwide.
According to new research by threat intelligence firm Hudson Rock, the activity centers on compromised enterprise file-sharing platforms, including ShareFile, Nextcloud, and OwnCloud, widely used across aviation, healthcare, infrastructure, legal, and government-adjacent sectors.
The investigation found no evidence of zero-day vulnerabilities or platform exploits. Instead, attackers relied on valid usernames and passwords harvested by infostealer malware, commodity tools such as RedLine, Lumma, and Vidar that silently collect saved credentials from infected devices.
Hudson Rock identified victims ranging from Iberia Airlines and Sekisui House to regional healthcare providers and mass transit suppliers. In several cases, stolen credentials had been sitting in criminal databases for years, unused, before being monetized.
Why Infostealers Are Now a Primary Access Vector
Infostealers infect devices through phishing emails, malicious downloads, or cracked software. Once installed, they extract browser-stored passwords, cookies, and session data, which are later aggregated and sold on underground forums.
Zestix reportedly combed these databases for corporate cloud URLs and then logged in directly using valid credentials. Without multi-factor authentication (MFA), attackers encountered little resistance.
The affected platforms themselves support strong security controls, including MFA and conditional access. However, Hudson Rock noted that security posture varied widely among victims, particularly in regulated industries handling sensitive intellectual property, health data, and infrastructure schematics.
Dark web monitoring firm DarkSignal has separately linked the Sentap alias to an Iranian national active since at least 2021, operating as an initial access broker selling compromised access for cryptocurrency.
For security leaders, the campaign underscores a persistent risk: credentials stolen outside the corporate perimeter can still unlock critical systems.
“The Zestix campaign is a wake-up call for the corporate world. The enemies are no longer just at the gates; they are walking through them with stolen keys,” Hudson Rock wrote. “In the digital age, access is the only currency that matters. It is time for organizations to enforce MFA and monitor their employees’ compromised credentials.”
