Stolen Passwords, Sold Secrets: ‘Zestix’ Breach Exposes Government Contracts and Health Records in Massive Cloud Data Heist

Aegiron 11 mins0

Executive Summary

A threat actor operating under the alias Zestix (also observed using the name “Sentap”) conducted a large-scale credential abuse campaign targeting enterprise cloud file-sharing platforms, primarily ShareFile and Nextcloud environments used by corporate and government entities.

The attacker did not exploit a zero-day vulnerability in the platforms themselves. Instead, the breach was enabled through:

  • Stolen employee credentials harvested by info-stealer malware
  • Lack of enforced multi-factor authentication (MFA)
  • Password reuse across services
  • Poor credential hygiene and token lifecycle management

Once authenticated with valid credentials, the attacker accessed sensitive repositories and exfiltrated regulated corporate data, which was later advertised for sale on underground forums.

What Happened

Zestix obtained login credentials belonging to employees of multiple organizations. These credentials were valid and, in many cases, several years old but still active.

Using those credentials, the actor:

  1. Logged into corporate ShareFile and Nextcloud environments.
  2. Enumerated accessible folders and repositories.
  3. Downloaded bulk data sets.
  4. In some cases, created persistence through additional accounts or API tokens.
  5. Advertised the stolen datasets for sale on dark web forums.

The stolen data reportedly included:

  • Government contract documents
  • Healthcare records and patient information
  • Aerospace engineering documentation
  • Infrastructure diagrams
  • Legal case files
  • Financial and procurement records
  • Internal network maps
  • Utility grid documentation

Over 50 organizations across aviation, defense, healthcare, telecom, manufacturing, and government sectors were reportedly impacted.

How It Happened

Initial Vector: Info-Stealer Malware Infection

The campaign began with endpoint compromise, not cloud exploitation.

Employees at victim organizations were infected with info-stealer malware. These malware families are typically delivered via:

  • Malvertising
  • Fake software installers (cracked software, browser extensions)
  • Phishing emails with malicious attachments
  • Trojanized updates
  • Drive-by downloads

Once executed, info-stealers extract:

  • Browser-stored credentials
  • Session cookies
  • Autofill data
  • Password manager databases
  • Cryptocurrency wallet data
  • System fingerprinting information

The harvested credentials are uploaded to attacker-controlled infrastructure and often resold in credential marketplaces.

Malware Families Involved

While exact payload attribution varies per victim, commonly observed info-stealers in similar breaches include:

  • RedLine Stealer
  • Lumma Stealer
  • Vidar
  • Raccoon Stealer
  • Meta Stealer

What These Payloads Do

  • Target Chromium and Firefox-based browsers
  • Extract saved credentials from:
    • Chrome Login Data (SQLite)
    • Firefox key4.db
  • Dump cookies to bypass MFA (if session reuse possible)
  • Capture system information:
    • IP address
    • OS version
    • Installed software
    • AV products
  • Upload data via HTTPS POST to C2

Was a Vulnerability Exploited?

There is no evidence of a software vulnerability exploit in ShareFile or Nextcloud.

This was a credential abuse campaign, meaning:

  • The attacker logged in legitimately.
  • Authentication logs show successful login events.
  • The breach bypassed security because the credentials were valid.

This makes detection harder because:

  • No exploit signature is triggered.
  • No vulnerability scanning alerts fire.
  • Activity appears as legitimate user login.

Why MFA Failed

The most common weaknesses observed:

  1. MFA not enabled.
  2. MFA enabled but bypassed using:
    • Session cookies stolen from infected endpoints.
    • Legacy authentication protocols.
  3. Conditional access policies misconfigured.
  4. Service accounts without MFA.
  5. Token lifetime too long (no short session expiry).

What the Attacker Did Inside

Once inside:

1. Enumeration

  • Queried directory structure.
  • Used built-in search functions to locate:
    • “contract”
    • “confidential”
    • “invoice”
    • “network”
    • “patient”
    • “bid”
    • “RFP”
    • “export”

2. Data Exfiltration

Methods included:

  • Manual download via web UI.
  • Use of WebDAV (Nextcloud).
  • API-based bulk download.
  • Sync clients.
  • Scripted downloads via curl or Python requests.

3. Persistence

  • Created new user accounts.
  • Generated API tokens.
  • Enabled backup syncs.
  • Registered new OAuth applications.

What Was Impacted

Data Types

  • PII (Personally Identifiable Information)
  • PHI (Protected Health Information)
  • Government contract pricing
  • Defense schematics
  • Aircraft maintenance manuals
  • Engineering blueprints
  • Utility grid layouts
  • Network topology maps
  • Financial statements

Business Impact

  • Regulatory exposure (HIPAA, GDPR, government compliance)
  • Legal liability
  • Intellectual property theft
  • Competitive disadvantage
  • National security implications (infrastructure data exposure)

Indicators of Compromise (IOCs)

Since this was credential-based abuse, IOCs are more behavioral than static.

Endpoint-Level IOCs

Look for signs of info-stealer infection:

Suspicious Processes

  • Randomized executable names in:
    • %AppData%
    • %LocalAppData%
    • %Temp%
  • Execution of unsigned binaries
  • Unexpected PowerShell launching encoded commands

File Artifacts

  • Access to:
    • Chrome “Login Data”
    • “Cookies” SQLite DB
    • key4.db
  • Archive creation (ZIP/RAR) shortly before outbound HTTPS traffic

Registry

  • Run keys persistence:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Network-Level IOCs

  • Outbound HTTPS to newly registered domains
  • Traffic to bulletproof hosting providers
  • POST requests with base64 blobs
  • TLS connections to suspicious ASN ranges

Common patterns:

  • /gate.php
  • /api/v1/submit
  • /panel/upload

Cloud Audit Log Indicators

ShareFile / Nextcloud Logs

Look for:

  • Login from unusual geolocation
  • Impossible travel events
  • Login from residential IP ranges
  • Access during non-business hours
  • Bulk download events
  • Spike in API calls
  • WebDAV bulk transfer
  • Creation of new API tokens
  • Creation of new admin users

Suspicious Behavior Patterns

  • Multiple folder downloads in rapid sequence
  • Searches for sensitive keywords
  • Downloading full repository structures
  • Large outbound transfer volumes

Detection Strategy

1. Endpoint Detection Rule (EDR)

Detect credential harvesting behavior:

IF process accesses:
  Chrome Login Data OR
  Firefox key4.db OR
  Browser Cookies DB
AND process NOT in approved list
THEN alert "Possible Credential Harvester"

2. Cloud Detection Rule

IF login_success
AND geo_location != user_baseline
AND MFA not present
THEN alert "Suspicious Valid Login"

3. Bulk Download Detection

IF user_download_volume > 3x 30-day baseline
OR > 5GB within 2 hours
THEN alert "Potential Data Exfiltration"

4. Impossible Travel Detection

IF login from Country_A
AND login from Country_B within < 4 hours
THEN flag account

Threat Hunting Guidance

Hunt 1: Credential Stuffing / Reuse

  • Cross-reference employee emails against dark web dumps.
  • Check if exposed passwords match current passwords.
  • Review login logs for old accounts not recently active.

Hunt 2: Token Abuse

Search for:

  • API tokens created without change request.
  • Tokens with long lifetimes.
  • OAuth apps registered recently.

Hunt 3: Info-Stealer Infection

On endpoints:

  • Review proxy logs for stealer C2 patterns.
  • Identify machines that contacted known stealer infrastructure.
  • Check for archive creation followed by HTTPS upload.

Hunt 4: Dormant Account Activity

  • Identify accounts inactive >90 days.
  • Check if they logged in recently.
  • Investigate bulk download events tied to them.

Why This Campaign Worked

This was not a sophisticated exploit campaign.

It succeeded because:

  • Employees reused passwords.
  • MFA was not mandatory.
  • Old credentials were never rotated.
  • Session tokens were not revoked.
  • Endpoint protection did not detect info-stealers.
  • Organizations did not monitor cloud download anomalies.

In short: the attacker used valid keys to walk through the front door.

Defensive Recommendations

Immediate

  • Force password reset across impacted users.
  • Invalidate all active session tokens.
  • Enforce MFA everywhere.
  • Review cloud audit logs for 6–12 months.

Medium Term

  • Implement conditional access (device trust + geo restrictions).
  • Deploy EDR capable of detecting browser credential scraping.
  • Reduce token lifetime.
  • Monitor for mass download behavior.

Long Term

  • Implement zero trust access.
  • Use hardware-backed MFA.
  • Conduct regular credential exposure monitoring.
  • Train employees on stealer delivery methods.

Final Takeaway

The Zestix campaign highlights a critical reality in modern breaches:

Attackers do not always need exploits.

If credentials are stolen and MFA is weak or absent, cloud platforms become soft targets — even when fully patched.

The breach was not about breaking encryption.
It was about abusing trust.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.