Full Report
A threat actor known as Zestix has been offering to sell corporate data stolen from dozens of companies likely after breaching their ShareFile, Nextcloud, and OwnCloud instances. According to cybercrime intelligence company Hudson Rock, initial access may have been obtained through credentials collected by info-stealing malware such as RedLine, Lumma, and Vidar deployed on employee devices. The three…
Analysis Summary
# Threat Actor: Zestix
## Attribution & Identity
**Identification:** Threat actor known as Zestix.
**Aliases/Groups:** No known aliases or associated groups explicitly detailed in this snippet.
**Source:** Information derived from cybercrime intelligence company Hudson Rock.
## Activity Summary
Zestix has been observed offering corporate data for sale which was allegedly stolen from dozens of companies. The likely infection vector involved breaching the victims' self-hosted file-sharing instances, specifically ShareFile, Nextcloud, and OwnCloud.
## Tactics, Techniques & Procedures
- **Initial Access:** Obtaining initial access likely via compromised credentials.
- **Persistence/Initial Foothold:** Credentials were likely harvested using existing commodity information-stealing malware deployed on employee devices.
- **Post-Compromise (Implied):** Accessing and exfiltrating data from file-sharing platforms (ShareFile, Nextcloud, OwnCloud).
## Targeting
- **Sectors:** Dozens of companies across various, unspecified sectors.
- **Geography:** Not specified in the provided text.
- **Victims:** Dozens of organizations whose credentials were stolen, leading to breaches of their file-sharing solutions.
## Tools & Infrastructure
- **Malware Families Used (for initial access):**
- RedLine (Info-stealer)
- Lumma (Info-stealer)
- Vidar (Info-stealer)
- **Infrastructure:** No specific command and control infrastructure (C2, domains, IPs) was mentioned, only the target platforms (ShareFile, Nextcloud, OwnCloud).
## Implications
Zestix presents a clear financial motivation, leveraging the widespread use of third-party/self-hosted file sharing services as a key pivot point for data exfiltration. The reliance on common commodity infostealers suggests a low technical barrier to entry for initial access, making many organizations potentially vulnerable to having credentials harvested via endpoint compromise.
## Mitigations
- **Credential Security:** Implement strong enterprise management policies to mitigate credential harvesting by info-stealers (e.g., robust endpoint detection and response, MFA enforcement, regular credential rotation).
- **Platform Hardening:** Ensure robust security configurations and patching for self-hosted file-sharing solutions, specifically **ShareFile, Nextcloud, and OwnCloud**.
- **Endpoint Defense:** Deploy advanced endpoint protection capable of detecting and blocking activity associated with known information stealers like RedLine, Lumma, and Vidar.