Several large organizations worldwide have been breached after attackers reused stolen login details collected by infostealer malware.
How the Attacks Unfolded -Zestix Infostealer
Researchers link the activity to a threat actor known as Zestix, also operating under the alias Sentap. The actor accessed cloud storage platforms such as ShareFile, Nextcloud, and OwnCloud, affecting around 50 organizations.
The impacted companies span sectors including aviation, healthcare, finance, defense, and government services. In several cases, attackers were able to access and extract large volumes of sensitive data.
The attacks typically start when employees unknowingly download malicious files that install infostealer malware such as RedLine, Lumma, or Vidar. These programs silently collect saved credentials and browser data from infected systems.
The stolen information is later aggregated into underground databases. The attacker then searches these datasets for corporate cloud credentials and uses them to gain unauthorized access to enterprise environments.
Researchers found that the main weakness was not an advanced exploit, but the lack of multi-factor authentication. Without MFA in place, attackers were able to access systems using only stolen usernames and passwords, some of which had been exposed in infostealer logs for years.
The impact of the breaches is significant. An engineering firm supporting U.S. utilities lost sensitive infrastructure data, while a robotics company exposed defense-related design files.
An airline also saw internal maintenance and safety documents leaked. In another case, health records and personal data tied to Brazilian military personnel were exposed, totaling several terabytes of sensitive information.
How Credentials Are Stolen and Abused
The attacks follow a simple but effective flow that makes them hard to stop if basic controls are missing.
- An employee downloads what looks like a normal file or software update from email or the web.
- An infostealer runs quietly in the background, often blending into legitimate system activity.
- The malware collects saved passwords and session data from browsers, password managers, and apps like email or collaboration tools.
- The stolen data is encrypted and sent to attacker-controlled servers.
- Attackers search through large credential dumps to find logins tied to corporate systems such as cloud storage and business platforms.
This method is dangerous because it is cheap, scalable, and easy to repeat. Access to corporate accounts is then sold on underground forums, allowing multiple attackers to reuse the same stolen credentials.
Many organizations were compromised not due to a lack of training, but because multi-factor authentication was not enforced across critical systems.
The fix is simple but urgent: enable MFA everywhere it matters and actively monitor for exposed credentials before they are used by attackers.
Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!
Leave A Comment