Cybersecurity researchers have uncovered a growing wave of corporate data theft linked to cloud file-sharing platforms, with a threat actor known as Zestix allegedly selling stolen data from dozens of organizations.
According to a report by cybercrime intelligence firm Hudson Rock, the attacker is believed to have gained initial access using credentials harvested by information-stealing malware such as RedLine, Lumma, and Vidar. These infostealers are commonly spread through malvertising campaigns and ClickFix attacks, and are designed to extract data from infected employee devices.
The malware typically targets browser-stored information such as login credentials, credit card details, and personal data, along with information from messaging apps and cryptocurrency wallets. When valid credentials are obtained and multi-factor authentication (MFA) is not enabled, attackers can gain unauthorized access to corporate cloud services, including file-sharing platforms.
Hudson Rock said some of the stolen credentials analyzed in the investigation had been circulating in criminal databases for years. This suggests that affected organizations failed to rotate passwords or invalidate active sessions even after long periods of exposure.
The report describes Zestix as an initial access broker operating on underground forums, selling access to high-value corporate cloud environments. Researchers believe the actor targeted ShareFile, Nextcloud, and ownCloud systems used by organizations across sectors such as aviation, defense, healthcare, utilities, mass transit, telecommunications, legal services, real estate, and government.
After parsing infostealer logs “specifically looking for corporate cloud URLs (ShareFile, Nextcloud),” the attacker allegedly logged into these services using valid usernames and passwords where MFA was not enabled. Hudson Rock said it identified likely breach points by correlating infostealer data with public images, metadata, and open-source intelligence.
In at least 15 confirmed cases, employee credentials linked to cloud file-sharing platforms were found to have been collected by infostealers. However, the firm noted that this validation is unilateral and that there has been no public confirmation of breaches from the affected organizations. One possible exception could be Iberia, although its recent disclosure has not been directly linked to these findings.
Zestix has claimed to be selling stolen data ranging from tens of gigabytes to several terabytes. The data allegedly includes aircraft maintenance manuals, fleet data, defense and engineering files, customer databases, health records, mass-transit schematics, utility LiDAR maps, ISP network configurations, satellite project data, ERP source code, government contracts, and legal documents.
Hudson Rock warned that such exposure could lead to serious security, privacy, industrial espionage, and national security risks. The firm also identified an additional set of 30 alleged victims sold under the alias “Sentap,” though these were not validated in the same manner.
The researchers added that their broader threat intelligence points to a systemic cloud security issue, driven by poor security practices. They reported identifying thousands of infected systems, including some linked to Deloitte, KPMG, Samsung, Honeywell, and Walmart.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
