A single criminal campaign has exposed a structural weakness at the heart of modern enterprise security: organizations are spending heavily on advanced tools while still allowing three‑year‑old stolen passwords to unlock terabytes of their most sensitive data.

Over roughly a year, a threat actor known as Zestix (aka Sentap) quietly breached about 50 global enterprises by doing nothing more technically complex than logging into cloud file‑sharing portals with credentials previously harvested by infostealer malware. No zero‑days, no MFA fatigue tricks, no cookie theft—just username and password, accepted on the first try because multi‑factor authentication (MFA) was not enforced.

The campaign, documented in detail by Hudson Rock and subsequent industry reporting, is a case study in what might be called security theater at scale: Fortune‑level organizations funding sophisticated defenses while leaving basic authentication controls and credential hygiene dangerously neglected.

—

How Zestix Turned Old Malware Logs into New Mega‑Breaches

The core attack chain is brutally simple and largely indirect:

1. Initial Infection (Years Earlier in Many Cases)
Employees in dozens of organizations originally became infected with infostealer malware such as RedLine, Lumma, and Vidar after opening malicious attachments or downloading trojanized software.
These infostealers specialize in harvesting browser‑stored credentials, cookies, and autofill data, then exfiltrating them to command‑and‑control servers.

2. Aggregation and Sale on the Dark Web
Over time, the stolen data was bundled into enormous infostealer log databases and sold, traded, or otherwise circulated on dark web markets.
These logs contained not only personal accounts, but also corporate cloud URLs and credentials for platforms such as ShareFile, Nextcloud, and OwnCloud.

3. Targeted Credential Mining by Zestix
Operating as an Initial Access Broker (IAB), Zestix systematically parsed these databases looking specifically for:
– Enterprise file‑sharing portal URLs
– Associated usernames and passwords

Unlike targeted spear‑phishing, this is opportunistic at scale: any organization with exposed credentials and no MFA became a candidate victim.

4. Direct Login to Enterprise Portals
With a valid username and password in hand, Zestix simply logged into:
– Progress ShareFile
– Nextcloud
– OwnCloud
instances owned by major enterprises.

Crucially, these portals did not enforce MFA. According to Hudson Rock, the attacker effectively “walks right in through the front door. No exploits, no cookies – just a password.”

The campaign did not rely on software vulnerabilities or protocol weaknesses: any instance without MFA, protected by credentials previously stolen by infostealers, was at risk.

5. Data Discovery, Exfiltration, and Monetization
Once inside, Zestix browsed internal folder structures, collected archives, and exfiltrated data in bulk—often tens to hundreds of gigabytes per target, and up to multiple terabytes.
The stolen data was then:
– Auctioned or sold on Russian‑language cybercrime forums
– Advertised with proof‑of‑access screenshots and sample file listings
– Offered for cryptocurrency, primarily Bitcoin or Monero

This operating model is optimized for volume, low cost, and low technical complexity, and it proved devastating.

—

The Scale and Sensitivity of the Stolen Data

Across the roughly 50 known victims, the stolen datasets ranged from 77 GB to 2.3 TB of highly sensitive information. The breadth of impacted sectors underscores how universal the underlying weaknesses have become:

– Aviation
– Iberia Airlines: ~77 GB of technical safety and fleet data was exposed.
– Potential impact: aircraft maintenance procedures, safety documentation, and operational details of large commercial fleets.

– Defense and Robotics
– Intecro Robotics: ~11 GB of military intellectual property tied to robotics technologies.
– Other defense‑adjacent entities had signaling drawings and security information compromised.
– This raises clear national security and industrial espionage concerns.

– Healthcare and Public Safety
– Maida Health: approximately 2.3 TB of health records from the Brazilian Military Police.
– Exposed data includes sensitive medical and potentially law‑enforcement‑related health information, with regulatory, privacy, and physical safety implications.

– Engineering and Manufacturing
– Pickett and Associates: around 139 GB of engineering data was taken.
– CRRC MA: signaling drawings and security information tied to rail infrastructure were compromised.
– Such materials can reveal design specifications, system weaknesses, and intellectual property across critical infrastructure.

– Legal and Professional Services
– Burris & Macomber law firm: ~18 GB of customer data and litigation strategy was stolen.
– This included materials affecting major automotive manufacturers and other high‑profile clients, extending the effective blast radius well beyond the firm itself.

– Real Estate and Housing
– Sekisui House, a major real estate player, also appears among the affected organizations, with housing and property‑related data exposed.

Taken together, this is not a “credential leak” problem in the abstract; it is the mass exfiltration of operational, legal, medical, and military data from organizations that often sit at critical points of national and global supply chains.

—

The Hidden Latency of Credential Risk

One of the most striking findings is how old many of the abused credentials were.

Hudson Rock’s investigation notes that while some credentials were harvested from recent infostealer infections, others had been sitting in dark web logs for years before Zestix finally weaponized them. In effect:

– A single malware infection in 2022
– yields credentials that remain valid and unchallenged in 2024–2026
– because passwords were not rotated and
– MFA was still not enabled on critical cloud services.

This latency reveals a “pervasive failure in credential hygiene” across the victim pool:

– Passwords remained unchanged long after compromise.
– Sessions were not invalidated following known malware infections.
– Compromised corporate accounts persisted in exactly the state attackers needed them.

The logic of the threat is therefore inverted from the usual narrative:

– The moment of malware infection is often treated as the crisis, followed by cleanup and a return to business as usual.
– In reality, for these organizations, the infection was just the starting point of a multi‑year risk window, culminating in massive breaches long after the initial incident had been forgotten.

This fundamentally challenges how organizations think about time, risk, and credential exposure. A password stolen today may not be exploited for years—but remains just as dangerous if nothing is done.

—

MFA as the Missing Line of Defense

Across all reported victims, the most consistent and critical factor was the absence of enforced MFA on cloud file‑sharing portals.

Investigators and subsequent analyses emphasized:

– Zestix’s intrusions did not require MFA bypass, SIM‑swapping, token theft, or push bombing.
– The threat actor never needed to tamper with identity infrastructure; the platforms simply accepted the stolen credentials as sufficient proof of identity.
– Hudson Rock explicitly concluded that *“catastrophic security failures were not the result of zero-day exploits in the platform architecture, but rather the downstream effect of malware infections on employee devices combined with a critical failure to enforce Multi-Factor Authentication.”*

This presents a sharp contrast with the focus of many enterprise security programs:

– Substantial spending on EDR, XDR, threat hunting, and zero‑day research.
– Underinvestment or delayed implementation of baseline identity controls, including:
– Universal MFA enforcement on external‑facing services.
– Conditional access policies that treat risky logins with heightened scrutiny.
– Mandatory password rotation following any confirmed endpoint compromise.

In effect, enterprises built sophisticated detection systems around their infrastructure—but left the front door unlocked for anyone holding a three‑year‑old key.

—

The Broader Implications: From Security Theater to Credential‑First Risk

The Zestix campaign exposes several uncomfortable realities about current enterprise security posture.

1. Credential‑Based Attacks Now Rival “Advanced” Threats
The operation illustrates that credential‑driven intrusions, powered by commodity infostealers, are fully capable of causing damage on par with advanced nation‑state campaigns.
Attackers no longer need exotic exploits if they can cheaply buy or mine large credential dumps and target services without MFA.

2. Industry‑Wide Complacency on MFA
Despite years of regulatory guidance and law‑enforcement advisories, MFA is still not uniformly enforced, even on high‑value cloud systems.
The fact that aviation, defense, healthcare, legal, and critical infrastructure organizations all failed in similar ways indicates a sector‑agnostic cultural problem, not isolated misconfigurations.

3. Supply Chain and Downstream Exposure
Law firms, engineering houses, and integrators often hold data on many more organizations than appear in any incident list.
When these service providers are compromised, their clients’ IP, legal strategy, and designs become collateral damage, extending the real victim set far beyond the ~50 named enterprises.

4. Long‑Tail Risk from Infostealers
Infostealer infections are sometimes treated as lower‑tier malware compared to ransomware or destructive campaigns. The Zestix case demonstrates that:
– Infostealers are front‑end loaders for future breaches.
– Their outputs—credential logs—are durable, re‑monetizable assets that can be exploited by many different actors over time.

5. Regulatory, Financial, and Reputational Fallout
Given the sectors involved, impacted organizations face:
– Potential violations of data protection and privacy laws.
– Exposure to regulatory fines, especially where health data and EU/UK citizens’ data are involved.
– Litigation risk, particularly for law firms and healthcare entities holding third‑party information.
– Long‑term reputational damage as clients and partners reassess the security of shared file repositories.

—

Lessons for Enterprises: Where Security Theater Ends and Real Defense Begins

The Zestix campaign does not introduce a new class of exploit. Instead, it forces organizations to confront longstanding gaps that are often sidelined because they are operationally inconvenient or perceived as “solved problems.”

From a strategic standpoint, several priorities emerge:

– Enforce MFA on All External‑Facing Cloud Services
– Make MFA non‑optional for ShareFile, Nextcloud, OwnCloud, and any similar EFSS or SaaS portal.
– Tie MFA policies into identity providers rather than treating each service as a one‑off configuration issue.

– Treat Infostealer Infections as Identity Breaches
– Any endpoint compromised by an infostealer should trigger:
– Immediate password resets for corporate accounts.
– Session invalidation and token revocation for SSO and cloud services.
– Retrospective checks for abnormal access from that account.

– Continuously Monitor for Exposed Credentials
– Make dark web and infostealer log monitoring an ongoing function, not a periodic exercise.
– When credentials surface, assume compromise and remediate—even if no suspicious activity is yet observed.

– Shorten Credential Lifetimes
– Implement rotation policies that render harvested credentials obsolete on realistic timeframes.
– Combine password policies with device posture and conditional access, so that even fresh credentials are insufficient from anomalous locations or untrusted devices.

– Rebalance Investment Toward Identity Fundamentals
– Maintain advanced detection and response capabilities, but not at the expense of basic controls.
– Security programs should explicitly measure and track:
– Percentage of systems protected by enforced MFA.
– Time‑to‑reset after confirmed infection.
– Number of external services still password‑only.

The central paradox of the Zestix operation is that none of its core techniques would have looked advanced in a tabletop exercise—yet they were sufficient to compromise some of the world’s most heavily defended organizations. In many cases, the breach was not a failure of cutting‑edge defenses; it was the absence of basic doors and locks.

As long as enterprises continue to tolerate password‑only access to high‑value cloud systems and fail to systematically invalidate credentials after malware incidents, campaigns like Zestix’s will remain low‑cost, low‑risk, and massively profitable for attackers.

—