Dozens of global enterprises across critical sectors have fallen victim to a sophisticated cyberattack campaign leveraging leaked cloud credentials sourced from infostealer malware. A threat actor known as “Zestix,” operating under the alias “Sentap,” has systematically gained unauthorized access to cloud storage platforms like ShareFile, Nextcloud, and OwnCloud, compromising approximately 50 international organizations. The breaches have exposed terabytes of sensitive data from industries including aviation, defense robotics, healthcare, finance, and government infrastructure, highlighting a significant vulnerability in current cybersecurity practices.
The attack’s success stems from a surprisingly common vector: employees inadvertently downloading malicious files that execute infostealers such as RedLine, Lumma, and Vidar. These malware variants silently harvest saved credentials and browser history from infected devices. The extracted logs are then compiled into large databases on the dark web, where Zestix meticulously searches for corporate cloud URLs and employs the stolen credentials to breach enterprise systems. This method underscores the persistent threat of infostealer infections.
The Devastating Impact of Leaked Cloud Credentials
The alarming scale of these compromises has led to the exposure of highly sensitive information. For instance, Pickett and Associates, an engineering firm serving U.S. utility companies, lost 139.1 gigabytes of data, including classified LiDAR files and transmission line maps. Intecro Robotics exposed 11.5 gigabytes of ITAR-controlled defense blueprints for military aircraft components. Iberia Airlines suffered a leak of 77 gigabytes containing aircraft maintenance programs and critical flight safety documentation.
Further compounding the issue, Maida Health, a healthcare provider for Brazilian military police, had 2.3 terabytes of health records exposed, encompassing personal identification and medical information for active-duty personnel and their families. These instances demonstrate the far-reaching consequences of unchecked access to corporate cloud environments through compromised credentials.
Deep Analysis: The Credential Harvesting Mechanism
The infection cycle employed by threat actors like Zestix is a methodical five-stage process. It begins with an employee downloading a seemingly legitimate file, often via email or disguised as standard software. Subsequently, the infostealer executes in the device’s memory, frequently evading detection by security tools as it operates within legitimate processes. The malware then enumerates browser storage, password managers, and cached credentials from applications such as Outlook and Teams.
Following data enumeration, all harvested information is encrypted and transmitted to command-and-control servers. Ultimately, threat actors meticulously parse through vast troves of stolen credential databases, specifically filtering for entries linked to corporate infrastructure, including cloud file shares and enterprise resource planning (ERP) systems. This systematic approach allows for the broad acquisition of user credentials.
The Critical Vulnerability: Lack of Multi-Factor Authentication
Industry analysts have identified that the most significant vulnerability enabling these widespread breaches is not a novel zero-day exploit, but rather the fundamental absence of Multi-Factor Authentication (MFA). Many organizations have failed to implement this essential security control, allowing attackers to gain access using only a valid username and password. The report indicates that some compromised credentials had languished in infostealer logs for years, providing attackers with a prolonged window of opportunity that was overlooked by the affected entities.
The dangerous effectiveness of this approach lies in its immense scale and relatively low cost. Zestix operates as an Initial Access Broker, profiting by selling corporate access credentials for Bitcoin or Monero on underground cybercriminal forums. This business model allows for the widespread dissemination and monetization of stolen access information.
Organizations often fail not due to a lack of security awareness programs, but because they have not enforced mandatory multi-factor authentication across all critical systems. The straightforward remedy involves the immediate deployment of MFA combined with robust monitoring for compromised credentials within infostealer logs. Proactive detection and mitigation are key to preventing attackers from fully exploiting these vulnerabilities.
The ongoing exploitation of infostealer-derived credentials by actors like Zestix suggests a continued threat to organizations that have not fully adopted MFA. The expectation is that more breaches will be uncovered as security teams continue to investigate and analyze the data within these compromised logs.