Zestix Emerges as Key Cloud Access Broker Selling Stolen Corporate Data Across Underground Markets

By Ash K
Zestix Emerges as Key Cloud Access Broker Selling Stolen Corporate Data Across Underground Markets

Cybersecurity researchers are warning of a growing threat actor known as Zestix, who has emerged as a prolific broker of stolen corporate data obtained from compromised cloud environments. The actor is believed to be monetising unauthorised access to dozens of organisations worldwide, primarily by abusing credentials harvested through widespread infostealer malware infections.

According to threat intelligence findings, Zestix operates as an initial access broker, offering direct access to corporate cloud storage and collaboration platforms rather than deploying ransomware or destructive malware.

How Zestix operates

Zestix advertises stolen datasets and access packages on underground forums, claiming access to enterprise cloud services such as ShareFile, Nextcloud, and OwnCloud. These platforms are commonly used to store sensitive internal documents, customer records, and operational data.

Rather than breaching these platforms directly, the actor relies on valid credentials obtained from infected endpoints, allowing access to appear legitimate and evade many security controls.

Role of infostealer malware

Investigations indicate that a significant proportion of Zestix’s access originates from infostealer malware families including RedLine, Lumma, and Vidar. These malware strains are among the most prevalent credential stealers globally, with security researchers estimating millions of infected systems each year.

Infostealers typically harvest browser-stored credentials, session cookies, cloud tokens, and saved passwords, which are then sold or reused by actors like Zestix to access corporate systems.

Scale and scope of the exposure

Threat intelligence assessments suggest Zestix has offered access or data linked to dozens of organisations across multiple sectors. Impacted industries reportedly include defence contractors, healthcare providers, technology firms, and government-adjacent entities.

In several cases, access listings reportedly contained thousands of internal files per organisation, including contracts, financial records, and sensitive internal communications.

Why cloud platforms are a prime target

Cloud storage and collaboration platforms have become central repositories for enterprise data. A single compromised account can provide access to years of accumulated documents, often without triggering alerts if logins appear normal.

Security teams note that cloud account compromise now rivals ransomware as a leading cause of large-scale data exposure, particularly where multi-factor authentication is absent.

Authentication gaps exploited

Many of the breaches linked to Zestix reportedly involve accounts protected only by passwords. In several observed cases, compromised credentials remained valid for months due to a lack of credential rotation or anomaly detection.

Industry studies consistently show that enabling multi-factor authentication can prevent more than 90 percent of credential-based attacks, underscoring how basic security gaps can have outsized consequences.

Initial access broker model

Zestix does not appear to carry out follow-on attacks directly. Instead, it sells stolen access and datasets to other criminals, including ransomware operators, fraud groups, and data resellers.

This division of labour reflects a broader trend in cybercrime, where specialised actors focus on a single stage of the attack chain to maximise efficiency and profit.

Underground market dynamics

Access listings attributed to Zestix are typically priced based on the perceived value of the target, with larger enterprises and regulated sectors commanding higher prices. Cloud access to organisations with sensitive intellectual property or regulated data can fetch significantly higher sums than small business accounts.

Once sold, access may be used for extortion, secondary data theft, or resale, multiplying the downstream risk.

Detection and response challenges

Because attackers use valid credentials, many intrusions linked to Zestix bypass traditional perimeter security tools. Logins often originate from residential IP addresses or cloud-hosted infrastructure that does not immediately appear suspicious.

This makes behavioural analytics, impossible travel detection, and continuous access monitoring critical for identifying compromise.

Industry response and notifications

Threat intelligence firm Hudson Rock has been actively identifying and alerting affected cloud service providers and organisations whose credentials have surfaced in Zestix-linked listings. These notifications are intended to enable rapid credential resets and incident containment.

Such efforts highlight the growing role of intelligence sharing in mitigating credential-driven breaches.

What organisations should do now

Security experts recommend enforcing multi-factor authentication across all cloud services, rotating credentials exposed through infostealer infections, and monitoring for abnormal cloud access patterns.

Endpoint protection against infostealer malware, combined with user awareness training, remains a critical first line of defence.

Conclusion

The rise of Zestix illustrates how the economics of cybercrime are shifting toward credential abuse and cloud access brokerage. Rather than deploying noisy attacks, actors increasingly profit from quiet, persistent access to enterprise data.

For organisations, the message is clear: cloud security failures are no longer theoretical risks. Without strong authentication and continuous monitoring, a single compromised credential can expose an entire digital estate.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.