CRRC MA
January 7, 2026
•[ credential theft, information-stealer malware, initial access broker ]
Reporting summarizing Hudson Rock research described an initial access broker believed to be an Iranian national operating under the aliases Zestix and Sentap who repeatedly accessed enterprise file repositories using credentials harvested by information-stealer malware (including RedLine, Lumma, and Vidar). Instead of exploiting a single company-specific vulnerability, the actor leveraged stolen usernames/passwords (some sitting in logs for years) to log into cloud/file-transfer environments lacking multi-factor authentication. The actor was described as exfiltrating large volumes of sensitive corporate data (examples referenced include aviation safety manuals, energy/utility mapping and infrastructure files, and medical/police-related records), then auctioning datasets or selling access on closed forums. Because the article describes a cross-victim pattern/campaign rather than one named-victim incident, this record is coded at the campaign level for a single-actor series of breaches.
NMCV Business LLC
January 6, 2026
•[ information-stealer malware, initial access broker, credential harvesting ]
SecurityWeek summarized Hudson Rock findings that dozens of major breaches were tied to a single initial access broker using credentials harvested by information-stealer malware (RedLine, Lumma, Vidar). The actor (Zestix/Sentap) was described as using stolen employee credentials to access enterprise file-transfer or file-sharing instances (ShareFile, OwnCloud, Nextcloud), with the lack of MFA being the key enabling control failure. The reporting characterized the actor as both stealing data and monetizing it by selling datasets and/or selling access on closed Russian-language forums, with victim organizations spanning aerospace, government infrastructure, legal, robotics, healthcare and other sectors.
Australian NBN
January 6, 2026
•[ Initial Access Broker, Information-stealer malware, RedLine ]
SecurityWeek summarized Hudson Rock findings that dozens of major breaches were tied to a single initial access broker using credentials harvested by information-stealer malware (RedLine, Lumma, Vidar). The actor (Zestix/Sentap) was described as using stolen employee credentials to access enterprise file-transfer or file-sharing instances (ShareFile, OwnCloud, Nextcloud), with the lack of MFA being the key enabling control failure. The reporting characterized the actor as both stealing data and monetizing it by selling datasets and/or selling access on closed Russian-language forums, with victim organizations spanning aerospace, government infrastructure, legal, robotics, healthcare and other sectors. Because the report is multi-victim and campaign-focused rather than a single victims disclosure, this record is captured as a single-actor campaign entry.
UrbanX.io
January 6, 2026
•[ data leak, initial access broker, information-stealer malware ]
SecurityWeek reported that Hudson Rock linked dozens of major breaches to a single initial access broker operating under the aliases Zestix and Sentap. The actor is described as using credentials harvested via information-stealer malware (including RedLine, Lumma, and Vidar) from infected employee devices to log into enterprise file-transfer/file-sharing environments such as ShareFile, OwnCloud, and Nextcloud when MFA was missing. After gaining access, the actor allegedly exfiltrated sensitive corporate data and monetized it by selling datasets or access on closed Russian-language forums, with victim organizations spanning sectors such as aerospace, government infrastructure, legal services, and robotics.
