Zestix Targets Credential-Driven Access to Corporate File-Sharing Data
Hudson Rock reports that a threat actor known as Zestix has been advertising stolen corporate data tied to dozens of organizations, with activity pointing to compromised ShareFile, Nextcloud, and ownCloud environments. The likely entry point was employee usernames and passwords harvested from infostealer infections on endpoints, including RedLine, Lumma, and Vidar. These infections typically steal sensitive information from browsers and other common applications, and then reuse the stolen credentials to access corporate cloud services when MFA is not enabled. Hudson Rock noted that some exposed credentials had been circulating in criminal ecosystems for years, which suggests weak password rotation and a failure to terminate long-lived sessions. Zestix appears to operate as an initial access broker, selling access or datasets across a wide range of sectors, including aviation, defense, healthcare, utilities, telecom, legal, real estate, mass transit, and government. In at least 15 cases, Hudson Rock tied employee credentials directly to targeted cloud file-sharing services based on its infostealer log analysis and corroborated by open-source indicators, though most affected organizations have not publicly confirmed breaches. The actor’s listings claim data volumes ranging from tens of gigabytes to multiple terabytes, spanning operational files, customer data, engineering materials, internal system documentation, and contract-related records that could expose privacy, cause competitive harm, and raise national security concerns. Hudson Rock also identified an additional group of victims marketed under the alias “Sentap,” though those were not validated to the same standard. The broader takeaway is that this is not just a single-actor issue; Hudson Rock reports seeing widespread endpoint infections and credential exposure across many large enterprises, reinforcing that credential theft remains a common path into high-value cloud platforms. The pattern is straightforward: endpoint infection leads to credential capture, credential reuse enables cloud access, and weak identity controls allow data extraction at scale. Organizations should enforce MFA on all external-facing cloud services immediately, rotate passwords for any accounts tied to these platforms, and revoke active sessions to cut off existing access. Add continuous credential exposure monitoring, tighten conditional access for cloud logins, and prioritize endpoint hardening and user awareness to reduce the risk of infostealer and ClickFix-style infections.
Update: AI Is Shifting the Balance in Active Directory Password Attacks
Active Directory remains the backbone of identity in most organizations, keeping it at the center of attacker playbooks. What has changed is speed: generative AI is making password attacks cheaper, faster, and more accessible than they were even a few years ago. Newer cracking approaches, including PassGAN, learn real-world password habits and generate high-probability guesses rather than relying solely on fixed wordlists and random guessing. Research cited in the material indicates PassGAN could crack 51% of common passwords in under a minute and 81% within a month, showing how quickly weak patterns fall. When these models are tuned using breach data tied to an organization and public information from the company’s own footprint, attackers can produce highly targeted password candidates that mirror employee behavior. At the same time, access to powerful GPU capacity has become easier to rent, increasing the number of guesses attackers can run and shortening the time needed to break weak-to-moderate passwords. Many Active Directory password controls were built for a different threat landscape, and complexity rules often produce predictable formats that AI models handle well. Forced rotation every 60–90 days can also backfire, as users may respond with small, repeated changes that attackers can anticipate and test quickly. MFA remains important, but it is not a cure-all if attackers can capture sessions, pressure users into approving prompts, or exploit weak enrollment and recovery processes. The defensive shift should be toward longer passwords or passphrases, plus continuous checks for passwords already exposed in breach datasets, because a “known” password does not need to be cracked at all. Blocking organization-specific terms and common internal wording also reduces the value of attacker reconnaissance when building targeted guesses. Protection from this threat can be done by taking security measures such as moving to long passphrases with a minimum length that drives real unpredictability, blocking known-compromised passwords at creation and reset, reducing routine rotation in favor of risk-based resets, deploying phishing-resistant MFA for privileged access, and tightening monitoring and rate-limiting to catch password spraying and abnormal login behavior early.
Shared Loader Campaign Targets Manufacturing and Government in Europe and the Middle East
Cyble Research and Intelligence Labs reports a sophisticated, multi-stage phishing campaign that uses the same “commodity loader” across multiple threat actor groups, indicating a shared service or coordinated ecosystem. The activity is considered a serious risk to manufacturing and government organizations, with observed targeting in Italy, Finland, and Saudi Arabia. Initial access is delivered through Purchase Order-themed lures and multiple attachment formats, including weaponized Office documents, malicious SVG files, and ZIP archives carrying shortcut files. Regardless of the entry method, victims are funneled into a common loader designed to reduce the chance of detection. From there, the attackers deploy a mix of remote access and credential-stealing malware, including PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos. The outcome is not a one-off infection, but a pathway to sustained access and broad data theft. CRIL describes a layered evasion chain built to frustrate investigation and reduce forensic traces. Early stages rely heavily on obfuscated scripts, then pull hidden payloads from embedded image files hosted on trusted public platforms, helping the traffic blend into normal browsing. Later stages tamper with an open-source Task Scheduler library, adding malicious functions while preserving the expected behavior, making it harder for simple detection rules to flag. The final execution step runs the malicious code under the cover of a legitimate Windows process through process injection, with additional encryption protecting the payload until the last moment. The campaign appears focused on stealing sensitive industrial information and high-value credentials, and PureLog Stealer is reported to collect browser logins, wallet data, 2FA secrets, VPN credentials, and detailed host information. Recommendations include tightening email filtering for Purchase Order themes and attachment-based delivery, blocking or quarantining shortcut files and risky archives from email, restricting Office attachment execution paths, monitoring endpoints for suspicious script activity and unusual downloads from public file hosts, enforcing least privilege to limit credential impact, and ensuring EDR plus incident response playbooks are ready for rapid containment.
