Between December 2025 and January 2026, a single threat actor posted 25 data sales listings on a Russian-language cybercrime forum. The victims spanned 15 countries and every major sector from aviation to critical infrastructure. Prices ranged from free to $150,000.
The actor goes by "Zestix." And despite the sophisticated pricing and global reach, the attack method is almost embarrassingly simple.
No zero-days. No advanced malware. No chained exploits. Zestix parses old infostealer logs for cloud credentials and tests each one until something works. When MFA is absent, they walk right in through the front door.
Infostealers like RedLine, Lumma, and Vidar have become commodity malware. An employee downloads a pirated game or clicks a malicious link. The malware quietly harvests every saved password from their browser. Those logs get sold in bulk on underground markets. Buyers like Zestix sift through them looking for corporate file-sharing URLs.
ShareFile. Nextcloud. OwnCloud. These platforms hold sensitive documents. They're often exposed to the internet. And they're frequently protected by nothing more than a username and password.
The barrier to entry is essentially zero. Parse the logs for corporate URLs, try the credentials, take whatever access you get.
The scale is remarkable. We’ve seen Zestix's forum activity since the public reports emerged in early 2026 spanning back to just September of 2025. The confirmed victims include:
The common thread across all 50+ confirmed breaches? Lack of MFA on externally accessible file-sharing platforms.
Forum intelligence reveals Zestix operates at multiple capability tiers. The credential harvesting is volume play. But the actor has also shared detailed EDR evasion techniques for bypassing SentinelOne, provides operational support for investment fraud schemes, and claims to run real-time deepfake systems for video call social engineering.
The credential harvesting funds the operation. The higher-tier capabilities are available for high-value targets.
These companies weren't hacked by nation-state actors with unlimited resources. They weren't targeted by custom malware or sophisticated exploit chains. They were compromised because an employee's device got infected with commodity malware, and the organization never rotated the password or enabled a second factor.
Every single breach was preventable with basic security hygiene.
Enable MFA everywhere. Not SMS-based. FIDO2 keys or passkeys. Every externally accessible system, no exceptions.
Rotate passwords regularly. Some credentials in Zestix's portfolio sat in infostealer logs for years before exploitation. A malware infection from 2022 became a data breach in 2025.
Monitor for credential exposure. Services exist that scan dark web markets and infostealer dumps for your organization's credentials. When exposure is detected, immediate password reset and session revocation.
Assume breach. If you're running cloud file-sharing without MFA, operate under the assumption that someone already has the password.
The infostealer economy has made credential theft scalable and cheap. The only defense is making those credentials worthless through proper authentication controls.
Mike Bell is Founder and CEO of Suzu Labs, building AI-powered platforms for meeting intelligence, business intelligence, and secure document processing. With over two decades in cybersecurity spanning penetration testing, incident response, security architecture, and AI security, he brings a security-first perspective to threat analysis.