Infostealer infections compounded by a lack of multi-factor authentication (MFA) have resulted in dozens of breaches at major global companies and calls for greater MFA use.
The issue came to light in a Hudson Rock post that detailed the activity of a threat actor operating under the aliases “Zestix” and “Sentap.” The threat actor has auctioned data stolen from the corporate file-sharing portals of roughly 50 major global enterprises, targeting ShareFile, OwnCloud, and Nextcloud instances “belonging to critical entities across the aviation, robotics, housing, and government infrastructure sectors,” the report said, taking pains to note that lack of MFA was the primary cause.
“… these catastrophic security failures were not the result of zero-day exploits in the platform architecture, but rather the downstream effect of malware infections on employee devices combined with a critical failure to enforce Multi-Factor Authentication (MFA),” the report said.
Cyble’s threat intelligence database contains 56 dark web reports and client advisories on Zestix and Sentap going back to mid-2024, and the threat actor appears be connected to a significantly older X/Twitter account, according to a May 2025 Cyble profile. DarkSignal recently did an extensive profile of the threat actor.
Infostealers and No MFA Make Attacks Easy
The Hudson Rock report looked at 15 data breaches claimed by Zestix/Sentap and noted a common attack flow:
- Infection: “An employee inadvertently downloads a malicious file. The infostealer executes and harvests all saved credentials and browser history.”
- Aggregation: “These logs are aggregated in massive databases on the dark web. Zestix parses these logs specifically looking for corporate cloud URLs (ShareFile, Nextcloud).”
- Access: “Zestix simply uses the valid username and password extracted from the logs. Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password.”
“The era where brute-force attacks reigned supreme is waning,” the report said. “In its place, the Infostealer ecosystem has risen to become the primary engine of modern cybercrime.
“Contrary to attacks involving sophisticated cookie hijacking or session bypasses, the Zestix campaign highlights a far more pedestrian – yet equally devastating – oversight: The absence of Multi-Factor Authentication (2FA).”
Zestix relies on Infostealer malware such as RedLine, Lumma, or Vidar to infect personal or professional devices – and sometimes the gap between malware infection and exploitation is a long one, as old infostealer logs have led to new cyberattacks in some cases.
“A critical finding in this investigation is the latency of the threat,” Hudson Rock said. “While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them. This highlights a pervasive failure in credential hygiene; passwords were not rotated, and sessions were never invalidated, turning a years-old infection into a present-day catastrophe.”
ownCloud Calls for Greater MFA Use
ownCloud responded to the report with a call for greater MFA use by clients.
In a security advisory, the company said, “The ownCloud platform was not hacked or breached. The Hudson Rock report explicitly confirms that no zero-day exploits or platform vulnerabilities were involved.”
Stolen credentials from infostealer logs were “used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled. As the report notes: ‘No exploits, no cookies—just a password.’”
ownCloud said clients should immediately enable MFA on their ownCloud instances if they haven’t done so already. “MFA adds a critical second layer of verification that prevents unauthorized access even when credentials are compromised,” the company said.
Recommended steps include:
- Enabling MFA on all user accounts using ownCloud’s two-factor authentication apps
- Resetting passwords for all users and requiring “strong, unique credentials”
- Reviewing access logs for suspicious activity
- Invalidating active sessions to force re-authentication with MFA