Cybersecurity Alert: Threat Actor Zestix/Sentap Exploits Stolen Credentials in Major Data Breaches
A threat actor known as Zestix—also linked to the online persona Sentap—has been identified as an initial access broker (IAB) behind multiple high-profile data breaches, according to cybersecurity firm Hudson Rock. Active since late 2024–early 2025, Zestix’s operations trace back to Sentap’s activities dating to 2021, with both personas leveraging stolen credentials to infiltrate enterprise networks.
Attack Method & Victim Profile
Zestix/Sentap targets organizations across aerospace, government infrastructure, legal, robotics, and defense sectors, exploiting credentials harvested from information stealers like RedLine, Lumma, and Vidar. These credentials—some freshly stolen, others lingering in logs for years—were used to breach file-transfer services such as ShareFile, OwnCloud, and Nextcloud, often due to missing multi-factor authentication (MFA). The actor has successfully compromised systems roughly 50 times, exfiltrating data for sale on Russian-language hacker forums or auctioning access to the networks themselves.
Notable Breaches & Financial Impact
Zestix has claimed responsibility for large-scale breaches, including:
- Iberia (Spanish flag carrier) – 77 GB of data, listed for $150,000
- Pickett & Associates (engineering firm for energy orgs)
- Intecro Robotics (aerospace/defense equipment)
- Maida Health (Brazilian military police contractor)
- CRRC MA (rolling stock manufacturer)
- Pan-Pacific Mechanical (1.04 TB), Bradley R. Tyer & Associates (1.02 TB), and The Providence Group (1 TB)
Under the Sentap alias, the actor’s victim list expands further, though Hudson Rock could not confirm all breaches stemmed from infostealer infections.
Broader Infostealer Threat
The incident underscores the persistent risk of information stealers, which Hudson Rock warns have exposed credentials for thousands of organizations using ShareFile, OwnCloud, and Nextcloud, including Deloitte, Honeywell, KPMG, Samsung, and Walmart. These attacks thrive on malware-as-a-service (MaaS), enabling even unskilled actors to deploy stealers that exfiltrate data in minutes before self-deleting, leaving minimal forensic traces.
The commodification of cybercrime—where stolen credentials fuel credential stuffing, identity theft, and fraud—continues to drive large-scale breaches, with no immediate solution in sight.
Source: https://www.securityweek.com/dozens-of-major-data-breaches-linked-to-single-threat-actor/
CRRC Corporation Ltd. cybersecurity rating report: https://www.rankiteo.com/company/crrc-corporation-ltd
Tesseract Intelligence cybersecurity rating report: https://www.rankiteo.com/company/tesseract-intelligence
Australian Information Security Association (AISA) cybersecurity rating report: https://www.rankiteo.com/company/australian-information-security-association
"id": "CRRTESAUS1767704662",
"linkid": "crrc-corporation-ltd, tesseract-intelligence, australian-information-security-association",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Aerospace/Transportation',
'location': 'Spain',
'name': 'Iberia',
'type': 'Airline'},
{'industry': 'Energy',
'name': 'Pickett & Associates',
'type': 'Engineering Firm'},
{'industry': 'Aerospace/Defense',
'name': 'Intecro Robotics',
'type': 'Manufacturer'},
{'industry': 'Military/Public Safety',
'location': 'Brazil',
'name': 'Maida Health',
'type': 'Healthcare/Defense Contractor'},
{'industry': 'Railway/Rolling Stock',
'name': 'CRRC MA',
'type': 'Manufacturer'},
{'industry': 'Telecommunications',
'location': 'Brazil',
'name': 'K3G',
'type': 'Internet Service Provider'},
{'industry': 'Healthcare',
'location': 'United States',
'name': 'NMCV Business LLC',
'type': 'Data Management'},
{'name': 'Pan-Pacific Mechanical',
'type': 'Engineering/Construction'},
{'name': 'Bradley R. Tyer & Associates',
'type': 'Consulting/Professional Services'},
{'name': 'The Providence Group'},
{'industry': 'Infrastructure',
'location': 'Australia',
'name': 'Australian NBN',
'type': 'Telecommunications'},
{'name': 'UrbanX.io'},
{'industry': 'Finance/Accounting',
'name': 'Deloitte',
'type': 'Consulting/Professional Services'},
{'industry': 'Aerospace/Industrial',
'name': 'Honeywell',
'type': 'Conglomerate'},
{'industry': 'Finance/Accounting',
'name': 'KPMG',
'type': 'Consulting/Professional Services'},
{'industry': 'Electronics',
'name': 'Samsung',
'type': 'Technology/Conglomerate'},
{'industry': 'Consumer Goods',
'name': 'Walmart',
'type': 'Retail'}],
'attack_vector': 'Stolen credentials via information stealers (RedLine, '
'Lumma, Vidar)',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (corporate, military, '
'healthcare, and infrastructure data)',
'type_of_data_compromised': ['Credentials',
'Sensitive files',
'Personally Identifiable '
'Information (PII)']},
'description': 'Several major data breaches linked to a threat actor using '
'stolen credentials to compromise enterprise networks. The '
"actor, operating as 'Zestix' and 'Sentap', exfiltrates and "
'sells victim data on hacker forums. Credentials were '
'harvested via information stealers like RedLine, Lumma, and '
'Vidar, often lacking MFA protections.',
'impact': {'brand_reputation_impact': 'High (public disclosure of breaches, '
'data sales on dark web)',
'data_compromised': '77 GB (Iberia), 1.04 TB (Pan-Pacific '
'Mechanical), 1.02 TB (Bradley R. Tyer & '
'Associates), 1 TB (The Providence Group), 306 '
'GB (Australian NBN), 275 GB (UrbanX.io), and '
'others',
'identity_theft_risk': 'High (PII exposure)',
'operational_impact': 'Unauthorized access to sensitive file '
'repositories, data exfiltration, and '
'potential ransomware deployment',
'systems_affected': ['ShareFile',
'OwnCloud',
'Nextcloud',
'Enterprise networks']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Stolen credentials from infostealer '
'logs (RedLine, Lumma, Vidar)',
'high_value_targets': ['Aerospace',
'Government infrastructure',
'Legal',
'Robotics',
'Healthcare',
'Telecommunications'],
'reconnaissance_period': 'Credentials harvested '
'from 2021 onwards, '
'exploited in 2024-2025'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Lack of MFA on critical services (e.g., ShareFile, '
'OwnCloud, Nextcloud) enables credential-based attacks. '
'Information stealers remain a persistent threat, with '
'stolen credentials circulating for years before '
'exploitation.',
'motivation': ['Financial gain',
'Data exfiltration and sale',
'Initial access brokerage'],
'post_incident_analysis': {'corrective_actions': ['Implement MFA across all '
'services',
'Deploy endpoint detection '
'for infostealers',
'Regularly audit and rotate '
'credentials'],
'root_causes': ['Lack of MFA on critical services',
'Infostealer infections on '
'employee devices',
'Prolonged exposure of credentials '
'in logs']},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': '$150,000 (Iberia case)'},
'recommendations': ['Enforce multi-factor authentication (MFA) on all '
'critical services and accounts.',
'Monitor for infostealer infections on employee devices '
'(personal and work).',
'Implement network segmentation to limit lateral '
'movement.',
'Enhance monitoring for unauthorized access to file '
'repositories.',
'Conduct regular audits of credential hygiene and dark '
'web exposure.'],
'references': [{'source': 'Hudson Rock'}, {'source': 'SecurityWeek'}],
'threat_actor': 'Zestix (aka Sentap)',
'title': 'Zestix/Sentap Initial Access Broker Campaign',
'type': ['Data Breach', 'Initial Access Broker (IAB) Activity', 'Ransomware'],
'vulnerability_exploited': 'Lack of multi-factor authentication (MFA) on '
'file-transfer services (ShareFile, OwnCloud, '
'Nextcloud)'}