One Threat Actor Breached 50 Companies Through Their Cloud File-Sharing Portals. No Exploits Required.
A campaign tracked as 'Zestix' used stolen infostealer credentials to walk into the ShareFile, Nextcloud, and OwnCloud instances of roughly 50 global enterprises in early 2026. No software vulnerabilities were needed. Only uploaded files and absent MFA.
VaultTools · March 20, 2026
Photo by Shahadat Rahman on Unsplash
Table of Contents
- What happened
- How the attack worked
- Who was affected
- Why uploaded files are the target
- What this means for file privacy
- Sources
What Happened
In January 2026, researchers at Hudson Rock published findings on a threat actor tracked as “Zestix” (also identified as “Sentap”) who had systematically breached the cloud file-sharing infrastructure of approximately 50 major global enterprises. The stolen data, including engineering blueprints, defense project files, healthcare records, and financial archives, was subsequently auctioned on cybercrime forums.
The campaign had been active since at least late 2024. Public evidence, victim notifications, and active dark-web auctions surfaced together in January 2026, drawing coverage from BleepingComputer, The Register, SecurityWeek, and others. Attribution research by DarkSignal links the actor to an Iranian national with ties to the Funksec cybercriminal group.
How the Attack Worked
No software vulnerability was exploited. The attacker obtained valid employee credentials from infostealer malware logs. Stealers including RedLine, Lumma, and Vidar harvest saved passwords from browsers and applications. Those credentials were then used to log directly into corporate ShareFile, Nextcloud, and OwnCloud portals.
The majority of affected organizations had not enforced multi-factor authentication on their file-sharing portals. With valid credentials and no second factor, access was immediate. Once inside, the attacker downloaded available files and listed the data for sale.
The attack surface was not a software flaw. It was the files themselves, sitting on accessible servers, waiting to be retrieved by anyone holding the right password.
Who Was Affected
Confirmed victims span aviation, defense, healthcare, utilities, infrastructure, and government contracting across roughly 50 enterprises globally. Hudson Rock identified Iberia Airlines, from which 77 GB of technical safety and fleet data was taken, and Intecro Robotics, from which 11.5 GB including military intellectual property was stolen. The full victim list spans organizations in Europe, the Middle East, and the Americas.
Why Uploaded Files Are the Target
Cloud file-sharing platforms hold documents because that is their function. A user uploads a sensitive contract, a design file, or a medical record to collaborate or convert it, and that file remains on the platform’s infrastructure until it is explicitly removed. It is accessible through the platform’s authentication layer for as long as it persists.
This creates a durable, centralized repository of sensitive documents. Attackers who obtain valid credentials, through phishing, infostealer infections, or data broker purchases, gain access to everything stored there. The breach does not require a sophisticated exploit. It requires a password.
Online file processing tools create the same exposure. A PDF uploaded to a cloud-based compressor or converter travels to a remote server, where it is processed and held temporarily or indefinitely depending on the service’s retention policy. The file exists outside the user’s control from the moment it is uploaded.
What This Means for File Privacy
The Zestix campaign demonstrates that the risk in cloud file handling is not hypothetical. Files entrusted to third-party servers are only as secure as the credentials protecting those servers, and credential theft through infostealer malware is industrialized and widespread.
File processing tools that run entirely inside the browser using WebAssembly eliminate this exposure by design. The document is read from the user’s disk, processed locally in the browser tab, and returned to disk. No server receives the file. There is no credential to steal, no retention policy to inspect, and no server to breach.
The Zestix campaign targeted cloud file storage because that is where files accumulate. Browser-based processing means files never accumulate anywhere outside the device.
Sources
- Cloud file-sharing sites targeted for corporate data theft attacks (BleepingComputer)
- One criminal stole info from 50 orgs thanks to no MFA (The Register)
- Dozens of Major Data Breaches Linked to Single Threat Actor (SecurityWeek)
- MFA Failure Enables Infostealer Breach At 50 Enterprises (Infosecurity Magazine)
- Stolen passwords led to 50 major breaches (Cybernews)
- Zestix/Sentap Cybercrime Campaign Targets ShareFile, Nextcloud, and OwnCloud (Rescana)