CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats·Data Breaches

Dozens of Major Data Breaches Linked to Single Threat Actor

The initial access broker (IAB) relies on credentials exfiltrated using information stealers to hack organizations. The post Dozens of Major Data Breaches Linked to Single Threat Actor appeared first on SecurityWeek.

File transfer attack

Several major data breaches are linked to a threat actor who relies on stolen credentials to compromise enterprise networks, Hudson Rock reports.

Operating under the moniker ‘Zestix’ but also linked to the online persona ‘Sentap’, the threat actor is an initial access broker (IAB) who was also seen exfiltrating victim data and selling it on hacker forums.

According to Hudson Rock, Zestix emerged as a distinct entity in late 2024-early 2025, but its activities can be linked to Sentap operations that have been ongoing since 2021.

Both personas can be linked to information-stealer infections resulting in the compromise of global enterprises operating in the aerospace, government infrastructure, legal, and robotics sectors.

The credentials, Hudson Rock says, were harvested from the personal or work devices of employees at the victim organizations using information stealers such as RedLine, Lumma, and Vidar.

“While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them,” Hudson Rock notes.

The lack of multi-factor authentication (MFA) protections on accounts with access to file-transfer instances such as ShareFile, OwnCloud, and Nextcloud has allowed Zestix/Sentap to use the compromised credentials successfully on roughly 50 occasions.

The exfiltrated data is then offered for sale on closed Russian-language forums, but Zestix was also seen selling access to the compromised systems.

Zestix/Sentap victims

According to Hudson Rock, Zestix has established a reputation for reliability. This explains why they were asking $150,000 for the 77 GB of data allegedly stolen from Iberia, the Spanish flag carrier.

Other victims include Pickett & Associates (an engineering firm serving energy organizations), Intecro Robotics (aerospace and defense equipment maker), Maida Health (serves the Brazilian military police), CRRC MA (rolling stock maker subsidiary), K3G (Brazilian ISP), NMCV Business LLC (manages data for US healthcare facilities), and over a dozen others.

Under the Sentap moniker, the threat actor built a wider list of victims, but Hudson Rock says it could not link these breaches to file-sharing services or infostealer infections.

“It is possible that they still stem from similar Infostealer credentials based on the high number of victims we did identify to have infostealer credentials to those services, but we do not rule out access via another initial access,” Hudson Rock says.

The threat actor has claimed massive breaches at Pan-Pacific Mechanical (1.04 TB), Bradley R. Tyer & Associates (1.02 TB), The Providence Group (1 TB), Australian NBN (306 GB), UrbanX.io (275 GB), and dozens of others.

The infostealer problem

According to Hudson Rock, credentials pertaining to thousands of organizations that use ShareFile, OwnCloud, and Nextcloud are circulating in infostealer logs, including those of prominent names such as Deloitte, Honeywell, KPMG, Samsung, and Walmart.

“These organizations have employees or partners who have been infected, leaving valid sessions or credentials to sensitive file repositories exposed to actors like Zestix,” the cybersecurity firm notes.

The issue, however, has been around for a long time and is unlikely to be easily resolved. The information stealer industry is fueling modern cybercrime, acting as the starting point for data breaches, identity theft, and fraud.

“Stealers are an example of the commodification of cybercrime delivered through malware-as-a-service (MaaS),” SpyCloud Labs SVP of security research Trevor Hilligoss said in a discussion with SecurityWeek.

“You no longer need to be a skilled developer or hacker to gain access to tools that are incredibly effective when deployed at scale. Anyone can just buy or hire readymade malware from the MaaS marketplace,” Hilligoss added.

The success of information stealers builds on speed and stealth. They exfiltrate sensitive information in minutes and are often removed from the infected devices immediately after, leaving minimal traces of wrongdoing.

And for over a decade, stolen credentials have fueled massive attack campaigns, including credential stuffing attacks, which continue to be a problem.

Related: NordVPN Denies Breach After Hacker Leaks Data

Related: Brightspeed Investigating Cyberattack

Related: Sedgwick Confirms Cyberattack on Government Subsidiary

Related: Thousands of Secrets Leaked on Code Formatting Platforms

Latest News

CYBERNEWSMEDIAPublisher