A single criminal operating under the aliases Zestix and Sentap has quietly breached dozens of major global enterprises not by exploiting advanced zero‑day vulnerabilities, but by doing something far simpler: logging in with valid usernames and passwords stolen from employees’ own devices. This campaign exposes a fundamental weakness in modern corporate security strategies—an overreliance on perimeter defenses and patching, while basic credential hygiene and endpoint protection remain dangerously underdeveloped.
—
A Broker at the Center of Dozens of Enterprise Breaches
By late 2024 and into 2025, security researchers began to see the same alias—Zestix, also known as Sentap—appearing across multiple dark‑web markets and closed criminal forums. Investigations linked this single actor to breaches of around 50 major global enterprises, with thousands more organizations exposed and at risk due to the same underlying weaknesses.
Instead of compromising corporate networks directly, Zestix operates as an initial access broker (IAB)—a criminal specialist whose business model is to obtain reliable footholds inside enterprises and then sell that access or the exfiltrated data to other threat actors, including ransomware groups and criminals planning supply‑chain attacks.
According to technical analyses, Zestix/Sentap has:
– Targeted cloud file‑sharing platforms such as ShareFile, Nextcloud, and OwnCloud as primary entry points.
– Compromised organizations in aviation, robotics, housing, government infrastructure, defense, healthcare, legal, and financial sectors.
– Impacted enterprises across Germany, France, the UK, the Netherlands, Italy, Spain, Poland, Sweden, and other countries, with particular concern in Europe due to regulatory exposure under GDPR.
For many victim organizations, the first indication of compromise was not an internal detection, but their data being advertised for sale on criminal forums.
—
The Attack: No Exploits, No Zero‑Days—“Just a Password”
The Zestix/Sentap campaign is a case study in how credential theft has become the path of least resistance for sophisticated threat actors.
Security reports describe a three‑step attack flow built around information‑stealer malware (“infostealers”) deployed on employee endpoints:
1. Infection on the Endpoint
An employee is infected—often after downloading a malicious attachment or cracked software. Infostealers such as RedLine, Lumma, and Vidar execute on the machine and harvest:
– Saved browser credentials
– Authentication cookies and autofill data
– Sometimes keystrokes and browser history
2. Aggregation and Sale of Logs
The stolen data is aggregated into massive infostealer log databases and traded on dark‑web markets. These logs frequently include:
– Corporate cloud portal URLs (e.g., ShareFile or Nextcloud tenant addresses)
– Associated usernames and passwords
– VPN or SSO credentials in some cases
3. Abuse of Valid Credentials
Zestix parses these logs specifically to identify corporate cloud file‑sharing accounts. Where organizations have not deployed multi‑factor authentication (MFA), the attacker simply:
– Enters the username and password
– Logs into the cloud portal as a legitimate user
– Browses, downloads, and exfiltrates sensitive data—often over an extended period
As one security vendor summarized, because many victim organizations did not enforce MFA, “the attacker walks right in through the front door. No exploits, no cookies – just a password.”
This method has two critical characteristics:
– It does not rely on software vulnerabilities or zero‑day exploits, which means patch management alone cannot stop it.
– It abuses legitimate access paths (valid credentials, standard web portals), making it far harder to distinguish the attacker’s activity from normal user behavior.
—
The Paradox: Heavy Perimeter Spend, Low‑Tech Failure
The Zestix/Sentap campaign highlights a stark paradox in enterprise security strategy:
– Organizations invest heavily in firewalls, intrusion prevention systems, VPN gateways, and vulnerability scanners, all designed to detect or block intrusive or anomalous network activity.
– Yet breaches here turned on a far simpler factor: compromised credentials on inadequately protected endpoints, and cloud portals left without MFA.
From a risk‑management perspective, this is deeply problematic:
– Credentials remain valid for years. Investigators found that Zestix successfully used passwords exfiltrated from infostealer infections that were several years old, because organizations had never rotated them or enforced stronger authentication controls.
– “Medium” technical severity, high business impact. Because the campaign did not leverage zero‑day exploits or sophisticated malware post‑access, some frameworks classify the technical severity as medium. However, the real‑world impact—flight maintenance records, engineering blueprints, health records, legal files, and critical infrastructure documentation being exfiltrated and auctioned—is anything but moderate.
This disconnect between technical severity scoring and operational impact can lead to dangerous underestimation of similar threats. A campaign that relies on “only” stolen credentials may not trigger the same urgency as an advanced exploit chain—until the resulting data leak forces a public disclosure, reputational damage, and regulatory scrutiny.
—
Endpoint Failures That Become Enterprise Crises
To understand how Zestix could repeatedly succeed against large, well‑funded enterprises, it is necessary to trace the problem back to the endpoint—the employee device where infostealer infections begin.
Key systemic failures include:
– Weak endpoint protection and monitoring
Many infostealer infections occur on:
– Poorly managed endpoints
– Devices lacking robust EDR (Endpoint Detection and Response) tooling
– Unmanaged personal systems used for remote work that nevertheless store corporate credentials in browsers
– Browser‑stored credentials and autofill
Infostealers specifically target browser‑stored usernames and passwords, cookies, and autofill data because they can be extracted in bulk with minimal effort. When employees habitually save corporate credentials in their browser, a single infostealer infection can expose:
– Cloud storage logins
– Email and collaboration tools
– VPN or SSO credentials
– Lack of visibility into infostealer logs
Even when organizations are aware that infostealers exist, few have mature processes to:
– Continuously monitor dark‑web markets for their domains and credential leaks
– Rapidly force password resets and invalidate exposed credentials
– No enforced MFA on critical cloud services
The single most consistent enabler in this campaign was the absence of MFA on cloud file‑sharing portals. Even where MFA was used on VPNs or SSO, many secondary systems remained accessible via password alone.
The result is that what begins as a seemingly “local” endpoint issue—a single user infected by a commodity infostealer—scales rapidly into an organizational breach once those credentials are aggregated and sold to a broker like Zestix.
—
Data at Stake: From Flight Records to Defense Designs
The Zestix/Sentap campaign has not been limited to low‑value accounts or minor file shares. Investigations into the exposed datasets and dark‑web auctions show that the actor has obtained and sold access to:
– Engineering blueprints and utility schematics
– Military UAV and aerospace maintenance files
– Healthcare and patient records
– Legal case files and litigation documents
– ERP source code and financial archives
These datasets are not only valuable for immediate monetization; they also present substantial long‑term strategic and national‑security risks, including:
– Industrial espionage and competitive intelligence against engineering and robotics firms
– Targeting of critical infrastructure, where stolen designs or configuration files could assist follow‑on sabotage or disruption
– Privacy and compliance failures, particularly in Europe where breach impacts intersect directly with GDPR obligations.
In multiple cases, researchers observed that organizations had not publicly acknowledged breaches despite clear evidence of data exposure, raising questions about both detection capabilities and regulatory compliance.
—
Cascading Risk Across Supply Chains
Because the affected organizations span aviation, housing, government infrastructure, healthcare, and finance, the Zestix campaign demonstrates how an initial credential‑driven breach can generate cascading risk across interconnected ecosystems.
Two dimensions of this cascading risk are especially significant:
– Supply‑chain exposure
Stolen documents can include:
– Third‑party contracts
– Vendor integration documentation
– Credentials or access tokens embedded in configuration files
This creates opportunities for secondary compromise of partners and suppliers, even if those entities were never directly targeted by the infostealer infection.
– Ransomware and further monetization
As an initial access broker, Zestix’s role is often to sell either:
– Direct access into cloud portals or internal systems
– Curated data packages to other criminals
These buyers may then deploy:
– Ransomware against the compromised environment
– Double‑extortion schemes based on the exfiltrated data
– Targeted business email compromise or fraud leveraging internal documents
This multi‑actor criminal ecosystem means the true impact of a single set of stolen credentials can unfold over months or years, with multiple phases of exploitation by different groups.
—
Why Traditional Security Failed
The Zestix/Sentap campaign underscores several structural weaknesses in prevailing security architectures:
1. Perimeter‑centric thinking
Many organizations still model threats around the assumption that attacks originate outside, and that once a user is authenticated through a “front door” (VPN, SSO, or cloud portal), they can be largely trusted. Credential‑based intrusions fundamentally break this assumption.
2. Incomplete MFA coverage
Even where MFA is widely deployed, it often does not cover all critical cloud services, especially older or department‑managed platforms like on‑prem or self‑hosted file‑sharing systems.
3. Underinvestment in identity and access governance
While high‑profile zero‑day vulnerabilities command budget and board‑level attention, mundane but critical practices—such as regular password rotation, disabling legacy accounts, and enforcing least‑privilege access—are inconsistently implemented.
4. Weak signal correlation around logins
Because the attacker is using valid credentials from legitimate locations, many SIEM and SOAR deployments fail to flag these logins as malicious absent clear signatures like brute‑force attempts or known malicious IPs.
Without continuous anomalous login monitoring—for example, unusual access patterns, large file transfers, or access at abnormal times—these intrusions blend into normal noise.
5. Insufficient focus on endpoint compromise as a credential problem
Endpoint security is often framed in terms of malware removal and device clean‑up. The Zestix campaign illustrates that what matters most is what the malware stole while it was active—particularly credentials that may persist long after the device is remediated.
—
Rethinking Defenses: From Perimeter to Identity and Endpoint
The Zestix/Sentap case offers a clear blueprint for how organizations need to adapt their security strategies to the reality of credential‑driven attacks.
Key defensive priorities include:
– Universal, enforced multi‑factor authentication
– Apply MFA to all external‑facing cloud portals, including legacy file‑sharing and collaboration systems.
– Avoid exceptions for “trusted” user groups or service accounts where possible, and use strong phishing‑resistant methods where supported.
– Credential hygiene and lifecycle management
– Enforce regular password rotation for privileged and externally exposed accounts.
– Prohibit storage of corporate credentials in consumer browsers where feasible, and promote or enforce the use of vetted enterprise password managers.
– Immediately invalidate credentials identified in infostealer logs or other breach data.
– Endpoint‑centric infostealer detection and response
– Deploy robust EDR solutions capable of detecting common infostealer families like RedLine, Lumma, and Vidar.
– Treat any confirmed infostealer infection as an identity compromise, not just a malware incident—triggering processes to audit and reset all credentials that may have been stored or used on the device.
– Continuous dark‑web and credential‑leak monitoring
– Use threat‑intelligence services to monitor infostealer databases and underground markets for corporate domains, URLs, and user identities.
– Integrate these feeds into incident‑response workflows to automate or accelerate credential revocation.
– Identity‑aware detection and least‑privilege access
– Implement least‑privilege access models, ensuring that a single compromised cloud account cannot access entire datasets by default.
– Monitor for anomalous login behavior, including:
– Sudden access to large volumes of files
– Access from unusual locations or at atypical times
– Previously inactive accounts suddenly becoming heavily active
– Regulatory readiness and transparency
– Especially for organizations operating in the EU, align incident‑response processes with GDPR’s requirements for breach detection, reporting, and documentation.
– Ensure executive and legal teams understand that credential‑driven file‑sharing breaches may constitute reportable data protection failures, even if no “hack” in the traditional sense occurred.
—
The Path of Least Resistance for Modern Threat Actors
The rise of Zestix/Sentap illustrates a broader trend: today’s most effective attacks increasingly combine commodity malware, credential theft, and cloud misconfiguration rather than bespoke exploits.
When an attacker can:
– Use a three‑year‑old password pulled from an infostealer log
– Log in to a critical cloud portal with no MFA
– Exfiltrate gigabytes of sensitive operational and customer data
– Then sell either that access or the data itself to other criminals
—there is little incentive to invest in developing expensive zero‑day capabilities.
For defenders, this reality demands a shift in mindset. The perimeter will not disappear, but identity, endpoint security, and operational discipline around credentials must move to the center of security strategy. Otherwise, sophisticated adversaries will continue to take the easiest route in: a stolen password, an unprotected portal, and a quiet login that looks exactly like a legitimate user.
—
