NMCV Business LLC
January 6, 2026
•[ information-stealer malware, initial access broker, credential harvesting ]
SecurityWeek summarized Hudson Rock findings that dozens of major breaches were tied to a single initial access broker using credentials harvested by information-stealer malware (RedLine, Lumma, Vidar). The actor (Zestix/Sentap) was described as using stolen employee credentials to access enterprise file-transfer or file-sharing instances (ShareFile, OwnCloud, Nextcloud), with the lack of MFA being the key enabling control failure. The reporting characterized the actor as both stealing data and monetizing it by selling datasets and/or selling access on closed Russian-language forums, with victim organizations spanning aerospace, government infrastructure, legal, robotics, healthcare and other sectors.
UrbanX.io
January 6, 2026
•[ data leak, initial access broker, information-stealer malware ]
SecurityWeek reported that Hudson Rock linked dozens of major breaches to a single initial access broker operating under the aliases Zestix and Sentap. The actor is described as using credentials harvested via information-stealer malware (including RedLine, Lumma, and Vidar) from infected employee devices to log into enterprise file-transfer/file-sharing environments such as ShareFile, OwnCloud, and Nextcloud when MFA was missing. After gaining access, the actor allegedly exfiltrated sensitive corporate data and monetized it by selling datasets or access on closed Russian-language forums, with victim organizations spanning sectors such as aerospace, government infrastructure, legal services, and robotics.
Undisclosed European telecommunications company
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-nexus operators breached a telecom by exploiting an edge service (e.g., NetScaler/SharePoint), then established persistence with SnappyBee-family tooling, harvested credentials and moved laterally to support systems for intelligence collection. No service interruption reported; primary effect is covert access and data staging.
Undisclosed Ukrainian business services organization
June 27, 2025
•[ webshell, credential harvesting, data leak ]
Symantec-reported intrusion beginning June 27, 2025 used LocalOlive webshell and LOTL techniques to harvest credentials and system data; activity persisted through mid-2025; no disruption reported.
At least one individual in Ukraine
January 6, 2024
•[ phishing, credential harvesting, state-sponsored attack ]
The article reports researchers observed a months-long phishing/credential-harvesting operation targeting users of UKR.NET, a popular Ukrainian webmail and news service. The campaign ran from June 2024 through April 2025 and was attributed to Russian state-backed BlueDelta (APT28/Fancy Bear/Forest Blizzard). Researchers said the actors created multiple fake UKR.NET login pages and sent phishing emails with PDF attachments containing embedded links to the fraudulent portals, with more than 20 linked PDF lure files identified. The purpose was assessed as harvesting credentials and gathering intelligence supporting broader Russian objectives; the reporting did not quantify how many users were successfully compromised.
