One Hacker, 50 Companies: How Infostealer Malware Sparked a Global Data Auction

CyberDefender 4 mins0
  • A single threat actor with the alias Zestix (also known as Sentap) is reported to be responsible.

What tools were used

  • Infostealer malware such as RedLine, Lumma, and Vidar were central to this campaign. These common strains harvest:
    • Stored browser credentials
    • Session cookies
    • Saved logins and tokens
    • Local sensitive files such as documents and system info
  • Infostealers are a leading cause of credential compromise in modern breaches, with billions of passwords already exposed by similar malware in prior campaigns.

How access was gained

  • Rather than exploiting a software vulnerability, the attacker used legitimate stolen credentials to log into cloud file portals like ShareFile, OwnCloud, and Nextcloud.
  • The root cause across victims was poor security hygiene—no multi-factor authentication (MFA) on these cloud systems.

Scope & Impact

According to analysis from Hudson Rock and independent reporting:

Victims

  • Over 50 global organizations across industries including engineering, defense, healthcare, transportation, aviation, and software.

Types of data stolen

Specific losses reported include:

  • Engineering and military-related design data (e.g., LiDAR files used by utility and defense firms).
  • Defense manufacturing design files (e.g., ITAR-regulated STEP files related to UAV and fighter components).
  • Massive healthcare records and police medical files from Brazilian health entities.
  • Aviation maintenance and technical data for commercial aircraft.
  • Train manufacturing and SCADA firmware data tied to critical infrastructure.

This indicates that both sensitive corporate data and potentially national-security–relevant materials were exposed.

Data Monetization

  • Zestix reportedly auctioned access and stolen data on dark-web forums, where access to cloud storage systems can fetch thousands of dollars in cryptocurrency.

This reflects a broader trend in cybercrime where Initial Access Brokers (IABs) sell compromised logins to others who may then escalate to ransomware or further exploitation.

Threat Landscape Context

Infostealers and related credential theft are not isolated incidents—they’re part of a growing trend in cybercrime:

  • Infostealer malware accounts for a large share of modern intrusions, often leading to secondary breaches or resale of credentials.
  • Cybercriminal marketplaces routinely trade stolen corporate credentials, enabling access to cloud services and enterprise portals.

This case highlights how foundational security gaps—like missing MFA and poor password rotation—can turn common malware into devastating corporate breaches.

Summary Takeaways

  1. Infostealer malware remains a top enabler of large breaches through credential harvesting and reuse.
  2. The attack was not a sophisticated zero-day exploit but a credential abuse case made possible by lax defenses (especially missing MFA).
  3. The scale (50 companies) and sensitivity of data (engineering specs, medical records) underline how valuable stolen credentials have become on underground markets.

CyberDefender