A threat actor known as ‘Zestix’ is offering for sale large volumes of corporate data allegedly stolen from dozens of organizations after compromising ShareFile, Nextcloud, and ownCloud environments, according to a report from cybercrime intelligence firm Hudson Rock.
Hudson Rock says initial access was likely obtained using credentials harvested by information-stealing malware such as RedLine, Lumma, and Vidar, which were deployed on employee devices. The infostealers are commonly spread via malvertising campaigns or so-called ClickFix attacks and typically target browser-stored credentials, financial data, messaging apps, and cryptocurrency wallets.
With valid usernames and passwords (and in cases where multi-factor authentication (MFA) was not enabled) attackers could gain unauthorized access to corporate file-sharing platforms. Hudson Rock noted that some of the compromised credentials had been circulating in criminal databases for years, suggesting organizations failed to rotate passwords or invalidate active sessions over long periods.
The company assesses that Zestix operates as an initial access broker (IAB), selling access to high-value corporate cloud platforms on underground forums. The affected organizations reportedly span multiple sectors, including aviation, defense, healthcare, utilities, mass transit, telecommunications, legal services, real estate, and government.
Hudson Rock said it identified likely breach points by correlating infostealer logs with publicly available images, metadata, and open-source information. In at least 15 cases, employee credentials for cloud file-sharing services were confirmed to have been collected by infostealers.
Zestix has advertised data sets ranging from tens of gigabytes to several terabytes, claiming they include aircraft maintenance manuals, defense and engineering files, customer databases, health records, mass-transit schematics, utility LiDAR maps, ISP network configurations, satellite project data, ERP source code, government contracts, and legal documents.
Hudson Rocksays it identified thousands of infected machines, including some associated with major organizations such as Deloitte, KPMG, Samsung, Honeywell, and Walmart.
“These organizations have employees or partners who have been infected, leaving valid sessions or credentials to sensitive file repositories exposed to actors like Zestix,” the company notes.
