TL;DR
A single cybercriminal using infostealer malware harvested cloud credentials from infected machines and accessed corporate file-sharing portals at roughly 50 organisations, many of which reportedly did not enforce multi-factor authentication. Stolen datasets — including engineering, health, legal and aviation files — have been listed for sale on the dark web; some appear to have already changed hands.
What happened
An operator using the names Zestix or Sentap has been selling sensitive datasets taken from enterprise file synchronization and sharing (EFSS) portals after obtaining valid cloud credentials from infostealer-infected endpoints. According to a Hudson Rock analysis, employees downloaded files carrying information-stealing malware (examples cited include RedLine, Lumma and Vidar), which captured stored credentials and browser data. The attacker then used those credentials to log into services such as Progress Software's ShareFile, Nextcloud and OwnCloud in environments where multi-factor authentication was reportedly not enforced. The Register says roughly 50 organisations worldwide appear on the criminal's list of victims, spanning utilities, aviation, robotics, housing and government-related entities. Reported examples include Pickett and Associates, Sekisui House, Iberia, Intecro Robotics, Maida Health, Burris & Macomber and CRRC MA. Progress told The Register the incidents are consistent with use of stolen credentials rather than platform vulnerabilities.
Why it matters
- When credentials stolen by infostealers are not protected by MFA, attackers can access cloud file stores with minimal effort.
- Files taken from EFSS portals can include highly sensitive engineering, health, legal and infrastructure data, raising risks to safety and privacy.
- Infostealers are a growing avenue for ransomware groups and extortionists to acquire initial access and pivot to lucrative targets.
- Stale or unrotated credentials stored in logs can remain exploitable for years, increasing corporate exposure over time.
Key facts
- The criminal operates under the monikers Zestix or Sentap and has acted as an initial access broker and extortionist since at least 2021, according to Hudson Rock.
- About 50 global organisations are listed as victims in the campaign, per the Hudson Rock report cited by The Register.
- Infostealer families named in the report include RedLine, Lumma and Vidar; these steal saved credentials and browser histories from infected devices.
- Targets included EFSS platforms such as Progress Software's ShareFile, Nextcloud and OwnCloud.
- Hudson Rock says the affected organisations did not enforce multi-factor authentication, allowing the attacker to reuse stolen credentials to log in.
- Progress Software told The Register it believes the compromises resulted from use of valid stolen credentials rather than platform vulnerabilities, and reiterated the importance of MFA.
- Pickett and Associates was reported to have 139 GB of engineering data posted for sale; the seller listed a price of 6.5 bitcoin, cited as about $585,000.
- Reported datasets include a 2.3 TB Nextcloud cache allegedly containing Brazilian Military Police records, and a 77 GB Iberia Airlines dataset of technical safety and fleet information.
- CRRC MA files were said to include signaling drawings, SCADA RTU lists and other operational and security-related engineering documents.
What to watch next
- Additional responses and confirmations from the companies listed and EFSS vendors — The Register contacted multiple parties and only Progress had replied as of press time.
- Whether more datasets linked to this actor are added to dark-web marketplaces or already sold — not confirmed in the source.
- Any law enforcement or regulatory investigations and public disclosures tied to these incidents — not confirmed in the source.
Quick glossary
- Infostealer: Malware designed to harvest sensitive data from a compromised device, commonly including saved passwords, browser history and authentication tokens.
- Multi-factor authentication (MFA): An authentication method that requires users to present two or more independent credentials (e.g., password plus a second factor) to verify identity.
- Enterprise file synchronization and sharing (EFSS): Cloud-based services and platforms that let organisations store, sync and share files among employees and external partners.
- Initial access broker: A threat actor who specialises in acquiring and selling access to compromised networks or credentials to other criminals.
Reader FAQ
Who carried out the attacks?
The actor uses the names Zestix or Sentap and has been identified by Hudson Rock as an initial access broker and extortionist; the company has been active since at least 2021.
How did the attacker gain access to corporate file stores?
Hudson Rock reports the attacker used credentials harvested by infostealer malware from infected endpoints, then logged into EFSS portals where MFA was not enforced.
Were software vulnerabilities blamed for the breaches?
Progress Software told The Register its investigations indicate the incidents are consistent with use of stolen credentials rather than platform vulnerabilities.
Have victims been confirmed?
The Register lists several organisations as apparent victims based on the criminal's postings, but not all companies had responded to inquiries at the time of reporting.
CYBER-CRIME One criminal, 50 hacked organizations, and all because MFA wasn't turned on Crim used infostealer to get cloud credentials Jessica Lyons Tue 6 Jan 2026 // 07:01 UTC If you don't say "yes…
Sources
- One criminal, 50 hacked organizations, and all because MFA wasn't turned on
- Dozens of Global Companies Hacked via Cloud …
- Infostealer Malware & Credential Theft Trends in 2025
- Compromised Credentials Responsible for 50% of …
Related posts
- The Post-American Internet: How Trump’s chaos opened a path to change
- OSS Sustain Guard: Signals and metrics for open-source dependency health
- Pink Power Ranger hacker deletes white supremacist dating site and leaks data