A single threat actor has leveraged stolen credentials and missing MFA protections to breach dozens of major global organizations. According to a research by Infostealers, the lone cybercriminal, known as Zestix or Sentap, used infostealer malware to harvest credentials, then simply logged in.
Infosetealers, Not Zero Days, Drove Breaches
Rather than relying on novel exploits, Zestix abused credentials stolen by widely known infostealers such as RedLine, Lumma, and Vidar. These malware strains extract saved passwords, browser data, and session information from infected employee devices.
Michael Bell, Founder & CEO at Suzu Labs, offers insight into Zestix’s process:
“The attack method is straightforward. Parse credential logs for enterprise file-sharing URLs, test the passwords, walk through any door where MFA is absent. Forum intelligence suggests this actor operates at multiple capability tiers, with documented EDR evasion techniques and deepfake infrastructure available for higher-value targets,” he said.
While some of the stolen credentials were relatively fresh, others had been sitting in dark web logs for years, waiting for someone to use them. This highlights a massive failure in enterprise password hygiene practices – reusing passwords across personal and corporate systems, storing credentials in browsers, and failing to rotate access credentials over long periods of time.
Missing MFA Turned Weak Passwords into Full Breaches
However, poor password hygiene alone didn’t guarantee a breach. A systemic lack of MFA on critical enterprise services is what turned stolen credentials into a catastrophic failure.
In many of the affected organizations, credentials harvested by infostealers were sufficient to grant immediate access to cloud file transfer platforms. There was no secondary verification step, no device-based challenge, and no conditional access policy to stop logins originating from unfamiliar locations or systems. A valid username or password was all Zestix needed.
John Carberry, a Solution Sleuth at Xcape, Inc, argues that it’s “alarming that numerous multi-billion-dollar companies still haven’t implemented Multi-Factor Authentication (MFA) on crucial cloud gateways like ShareFile and Nextcloud, a critical failing in today’s threat environment.”
“For many victims, the breach wasn’t a perimeter security failure, but a complete failure of their identity security,” he continued. “It takes persistent use of security principles rather than new technology to prevent these threats. Tighter controls on cloud collaboration tools, conditional access, rotating credentials, rotating credentials, and strong MFA would have significantly limited the attacker’s reach.”
Critical Infrastructure and Sensitive Sectors Hit
The victim list spans aviation, aerospace, defense robotics, healthcare, energy, finance, government infrastructure, and telecommunications. Confirmed victims include Pickett & Associates, Intecro Robotics, Maida Health, CRRC MA, K3G, and NMCV Business LLC, along with dozens of others.
In one documented case, Pickett & Associates lost 139.1GB of sensitive data, including LiDAR imagery and transmission line maps tied to US utility infrastructure. Such exposures pose not only financial and regulatory risks, but also national security concerns.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.