Threat Summary
Category: Enterprise Cloud Security Breach
Features: Credential compromise, infostealer-driven access, large-scale data exfiltration, initial access brokerage
Delivery Method: Stolen credentials harvested from infostealer malware; exploitation of cloud platforms lacking multi-factor authentication
Threat Actor: Zestix (also operating as “Sentap”) — financially motivated initial access broker
A wave of recent breaches affecting dozens of major global organizations has been traced to a single, recurring failure: cloud platforms secured only by passwords. Threat researchers warn that stolen credentials—some harvested years earlier through infostealer malware—are now being weaponized at scale, enabling attackers to access sensitive corporate cloud storage without exploiting software vulnerabilities or deploying advanced intrusion techniques.
The breaches illustrate a systemic weakness in enterprise cloud security, where large volumes of proprietary, regulated, or mission-critical data remain accessible through password-only authentication. Once credentials are obtained, attackers are effectively “walking through the front door.”
Core Narrative
Threat researchers tracking infostealer ecosystems have identified a financially motivated actor operating under the aliases “Zestix” and “Sentap” as a central figure in a broad campaign targeting corporate cloud file-sharing environments. The actor systematically mines infostealer logs—repositories of stolen credentials generated when employee endpoints are infected with malware—and tests those credentials against popular enterprise cloud platforms.
The process is neither complex nor technically novel. Old passwords are replayed against services such as ShareFile, OwnCloud, and Nextcloud. Most attempts fail due to password changes or account deactivation. Some succeed. When they do, attackers gain immediate access to entire cloud repositories containing engineering plans, legal records, medical data, financial archives, and government-linked infrastructure files.
Researchers described the campaign as a “global epidemic of cloud exposure,” noting that the decisive factor in each confirmed breach was the absence of multi-factor authentication. No zero-day exploits were required. No session hijacking. No token theft. Only a valid password.
Attack Chain Breakdown
- Initial Credential Harvesting
Employee devices are infected with infostealer malware families such as RedLine, Lumma, or Vidar. These tools silently extract saved passwords, browser sessions, and application credentials. - Credential Dormancy
Stolen passwords are stored in underground logs, sometimes remaining unused for months or years. - Credential Replay
Zestix systematically tests these credentials against enterprise cloud file-sharing portals. - Access and Exfiltration
When authentication succeeds, attackers download entire cloud directories—often hundreds of gigabytes per victim. - Monetization
Exfiltrated data is auctioned on closed cybercrime forums for cryptocurrency, positioning the actor as a reliable initial access broker.
Infrastructure at Risk
Corporate cloud file-sharing platforms represent a high-value convergence point. They often store:
- Engineering and CAD files
- Legal strategies and contracts
- Healthcare records and protected health information
- Aviation, transportation, and SCADA documentation
- Financial archives and internal operational data
Because these platforms are designed for accessibility and collaboration, security controls are frequently misaligned with the sensitivity of the data they host. In many of the documented cases, MFA was either not enforced or not enabled at all.
Confirmed Exposure Scope
Researchers identified data allegedly exfiltrated and auctioned from organizations across aviation, defense manufacturing, healthcare, housing, energy, telecommunications, transportation, and legal services. Individual breaches ranged from tens of gigabytes to multiple terabytes per organization.
Sectors impacted include:
- Aviation and Aerospace: aircraft maintenance systems, UAV and fighter jet designs
- Healthcare: medical records, PHI, insurance and billing data
- Transportation Infrastructure: signaling systems, SCADA configurations, rail schematics
- Energy and Engineering: CAD designs, ERP source code, industrial documentation
- Legal and Financial Services: litigation strategies, immigration files, corporate records
In several cases, attackers obtained complete cloud environments rather than selective datasets.
Threat Actor Profile
Zestix emerged publicly in late 2024 but is believed to have been active significantly earlier. The actor operates within Russian-language cybercrime ecosystems and has built a reputation for reliability among buyers. Data is sold for cryptocurrency, and access is often resold to downstream criminal groups.
Additional research has linked related personas to Iranian-origin infrastructure and affiliations with emerging ransomware operations. Analysts also noted overlap with FunkSec, a newer ransomware group known for leveraging generative AI to accelerate code development and operational tooling.
The actor’s effectiveness stems not from technical innovation, but from discipline, patience, and a focus on exploiting basic security failures at scale.
Sector-Level Implications
This campaign highlights a structural shift in cybercrime economics. Infostealer malware is rapidly replacing brute-force attacks and exploit-heavy intrusion methods as the primary engine of large-scale compromise. Once credentials are harvested, time works in the attacker’s favor.
Organizations often rotate passwords inconsistently, fail to audit cloud access logs, or assume that older credentials no longer pose a threat. In reality, dormant credentials remain valid far longer than security teams expect.
The result is delayed compromise, where breaches occur months or years after the initial infection—often without clear indicators of intrusion until data appears for sale.
Forecast — 30 Days
- Continued credential replay attacks against cloud platforms without enforced MFA
- Increased targeting of healthcare, infrastructure, and engineering firms
- Expansion of initial access brokerage tied to infostealer ecosystems
- Secondary extortion or ransomware activity following data exposure
- Regulatory scrutiny following delayed breach discovery
TRJ Verdict
These breaches were not the result of advanced hacking. They were the result of preventable security neglect.
When organizations allow cloud platforms holding critical data to rely on passwords alone, they are effectively betting their entire digital estate on the behavior of a single employee endpoint. Infostealers make that bet unwinnable.
This is not a failure of technology. It is a failure of enforcement. Until multi-factor authentication is treated as non-negotiable for cloud access, credential theft will remain the simplest, cheapest, and most effective path into the world’s most sensitive systems.
🔥 NOW AVAILABLE! 🔥
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
“Researchers described the campaign as a “global epidemic of cloud exposure,” noting that the decisive factor in each confirmed breach was the absence of multi-factor authentication.”
Before I got to the ‘TRJ Verdict’ where it states:
“These breaches were not the result of advanced hacking. They were the result of preventable security neglect.”
this post already made this pretty clear.
I hope these organizations are able to close the loopholes and secure the things that need to be protected.
Thank you for this report.
You’re welcome, Chris. You’re right—the pattern becomes clear well before the verdict because the failures are consistent across cases. The absence of multi-factor authentication is the common thread, not technical sophistication.
That’s what makes these breaches especially frustrating. The exposure is preventable, and closing those gaps would eliminate a large percentage of this activity outright. Awareness is the first step toward that change, which is exactly why cases like this are worth documenting.
Thank you, Chris. I hope all is well and that you have a great night. 😎
You’re welcome, John, and thank you for your thoughtful reply. I can see whey these cases are so frustrating. Multi-factor authentication isn’t that difficult to install as I have it on a few accounts that I have. I see no reason to neglect this easy step to protect information and assets.
Thank you for this article, John. All is well here and I wish the same for you! 🙂