Executive Summary

As of January 5, 2026, a coordinated cybercrime campaign attributed to the Zestix (also known as Sentap) group has resulted in significant data breaches across multiple sectors by targeting cloud file-sharing platforms. Attackers leveraged credentials stolen via info-stealer malware, such as RedLine, Lumma, and Vidar, to access corporate accounts on platforms including ShareFile, Nextcloud, and OwnCloud. The breaches were not the result of software vulnerabilities or zero-day exploits but stemmed from the use of compromised credentials and the widespread absence of multi-factor authentication (MFA). Sensitive data exfiltrated includes engineering blueprints, defense project files, healthcare records, legal documents, and financial archives. The campaign exposes systemic issues in credential management and endpoint security, with many organizations failing to detect or disclose breaches despite regulatory obligations. Immediate action is required to enforce MFA, improve credential hygiene, and strengthen endpoint defenses to mitigate ongoing risks.

Technical Information

The attack campaign orchestrated by the Zestix/Sentap group is characterized by the abuse of credentials harvested through info-stealer malware infections on employee endpoints. The primary malware families involved—RedLine, Lumma, and Vidar—are designed to extract browser-stored credentials, cookies, and autofill data, as well as to capture keystrokes in some cases. These credentials, once exfiltrated, are aggregated and sold or used directly by threat actors to access cloud file-sharing platforms.

The attackers did not exploit any zero-day vulnerabilities or inherent flaws in the targeted platforms. Instead, they relied on the absence of MFA and the persistence of valid credentials, some of which had been exposed for years due to poor password hygiene and lack of rotation. The attack chain typically began with an employee device infected by info-stealer malware, often through phishing or malicious downloads. The malware would then extract credentials for cloud file-sharing services, which were subsequently used by the attackers to log in and access sensitive corporate data.

Technical analysis of the campaign maps the attack methods to several MITRE ATT&CK techniques. Initial access was achieved through the use of valid accounts (T1078), with credentials obtained from password stores (T1555) and, in some cases, via input capture (T1056). Once inside the cloud platforms, attackers collected data from information repositories (T1213) and exfiltrated it over web services (T1567.002). The use of legitimate credentials allowed the attackers to evade many traditional security controls, maintain persistence, and avoid detection.

Artifacts supporting these findings include malware logs containing credentials for specific cloud portals, screenshots of internal file structures, and evidence of data exfiltration. Dark web monitoring has revealed sales threads where access to compromised cloud accounts is offered, often accompanied by proof-of-access screenshots. The campaign is opportunistic, with no sector immune; targeting is determined by the availability of credentials in infostealer logs rather than by specific industry focus.

The Zestix/Sentap group operates as an Initial Access Broker (IAB), monetizing access to compromised accounts by selling them on Russian-language cybercrime forums. Attribution to the "Sentap" persona is supported by open-source intelligence (OSINT) and third-party research, with indications of an Iranian national behind the activity and affiliations with the Funksec cybercriminal group. However, while the technical evidence for the campaign is robust, attribution to specific individuals or groups is based on circumstantial evidence and OSINT rather than direct technical artifacts.

The campaign has resulted in the compromise of highly sensitive data across engineering, defense, healthcare, legal, aviation, and other sectors. Examples include utility blueprints, military UAV files, patient health records, litigation documents, and ERP source code. The data exfiltrated poses risks of industrial espionage, sabotage, privacy violations, regulatory non-compliance, and national security threats. Many affected organizations have not publicly acknowledged the breaches, despite regulatory requirements to do so.

Systemic issues identified include the lack of MFA on cloud file-sharing platforms, poor credential hygiene (with credentials remaining valid for years), and gaps in endpoint security that allow info-stealer malware to infect both managed and unmanaged devices. The campaign underscores the critical importance of enforcing MFA, monitoring for compromised credentials, rotating passwords regularly, and improving endpoint security to prevent malware infections.

All technical claims in this report are supported by primary sources, including malware log analysis, dark web monitoring, and direct evidence from breach data. The attack methods and threat actor activities are consistent with known patterns of infostealer-driven campaigns and IAB operations.

Affected Versions & Timeline

The cloud file-sharing platforms targeted in this campaign include ShareFile, Nextcloud, and OwnCloud. The attacks did not exploit specific software versions or vulnerabilities; rather, any instance of these platforms lacking MFA and protected by credentials exposed in infostealer logs was at risk. The campaign has been active since at least late 2024, with evidence of ongoing breaches into early 2026. Credentials used in the attacks were harvested from both recent and years-old malware infections, indicating that some organizations had not rotated passwords or implemented MFA for extended periods.

The timeline of the campaign is as follows: initial infections with info-stealer malware occurred over several years, with credentials subsequently aggregated and sold or used by the Zestix/Sentap group. The first public reports of coordinated breaches appeared in late 2025, with technical evidence and victim notifications surfacing through January 2026. The campaign remains active, with thousands of organizations identified as at risk due to exposed credentials.

Threat Activity

The threat activity observed in this campaign is characterized by the systematic abuse of stolen credentials to access cloud file-sharing platforms. The Zestix/Sentap group, operating as an Initial Access Broker, leveraged logs from info-stealer malware to identify valid credentials for corporate cloud accounts. These credentials were used to log in to platforms such as ShareFile, Nextcloud, and OwnCloud, where attackers browsed, collected, and exfiltrated sensitive data.

Victim organizations span a wide range of sectors, including engineering, utilities, defense, aerospace, healthcare, legal, government, aviation, and finance. Data exfiltrated includes utility blueprints, LiDAR data, telecom configurations, military UAV and CNC files, satellite project data, health records, patient PHI, medical and financial data, litigation files, government contracts, client PII, aircraft maintenance data, engineering plans, ERP source code, architectural plans, and financial archives.

The attackers demonstrated no preference for specific industries; targeting was opportunistic, based on the availability of credentials in infostealer logs. The use of legitimate credentials allowed the attackers to evade detection, maintain persistence, and repeatedly access compromised accounts. In many cases, organizations were unaware of the breaches until notified by third parties or through regulatory disclosures.

The campaign poses significant risks, including industrial espionage, sabotage, privacy violations, regulatory non-compliance, and threats to national security. The scale and impact of the breaches are amplified by the systemic lack of MFA and poor credential hygiene across affected organizations.

Mitigation & Workarounds

The following mitigation actions are prioritized by severity:

Critical: Enforce multi-factor authentication (MFA) on all cloud file-sharing accounts immediately. MFA is the most effective control to prevent unauthorized access using stolen credentials, as demonstrated by the absence of MFA in all confirmed breaches.

High: Monitor for compromised credentials by regularly scanning infostealer logs and dark web sources for references to organizational domains and cloud platform URLs. Rotate all passwords associated with cloud file-sharing accounts, especially those identified in breach data or infostealer logs.

High: Improve endpoint security by deploying advanced anti-malware solutions, conducting regular scans for info-stealer malware, and ensuring that both managed and unmanaged devices are protected. Monitor for signs of malware infections and respond promptly to any detections.

Medium: Conduct user awareness training to educate employees about the risks of phishing, malicious downloads, and credential reuse. Emphasize the importance of reporting suspicious activity and maintaining good password hygiene.

Medium: Notify cloud platform vendors and coordinate incident response efforts to ensure that all compromised accounts are identified, access is revoked, and affected data is secured.

Low: Review and update incident response plans to include scenarios involving credential theft and cloud platform breaches. Ensure that regulatory notification requirements are understood and followed in the event of a breach.

These mitigation steps are supported by technical evidence from the campaign and are aligned with best practices for securing cloud file-sharing platforms against credential-based attacks.

References

InfoStealers.com, "Dozens of Global Companies Hacked via Cloud Credentials from Infostealer Infections & More at Risk" (Jan 5, 2026) https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/

BleepingComputer, "Cloud file-sharing sites targeted for corporate data theft attacks" https://www.bleepingcomputer.com/news/security/cloud-file-sharing-sites-targeted-for-corporate-data-theft-attacks/

ITRC 2024 Data Breach Report

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform that enables organizations to continuously monitor the security posture of their vendors and partners. Our platform offers actionable insights into exposed credentials, cloud service configurations, and endpoint security risks, supporting rapid identification and remediation of threats related to credential theft and cloud platform abuse. For questions or further information, contact us at ops@rescana.com.