A large-scale cybercrime campaign has compromised cloud file storage portals at more than 50 major organizations worldwide, exposing vast amounts of sensitive data after attackers used credentials stolen by infostealer malware.

According to a report by Hudson Rock, a threat actor known as “Zestix,” also operating as “Sentap,” has been selling access to compromised Citrix ShareFile, Nextcloud, and OwnCloud environments on underground forums. The activity was uncovered through analysis conducted for Infostealers.com.

Figure 1. Infostealer Malware.

The campaign traces back to logs generated by widely used infostealer malware families such as RedLine, Lumma, and Vidar. These malware strains infect employee devices—often personal or poorly secured work systems—and harvest saved passwords and browser session data. In many cases, the stolen credentials remained valid for months or even years due to a lack of password rotation or session invalidation. The primary weakness was not flaws in the platforms themselves, but the absence of multi-factor authentication (MFA).

Attackers accessed corporate cloud portals simply by logging in with valid credentials obtained from infostealer logs. Zestix has emerged as a well-known Initial Access Broker on Russian-language cybercrime forums, selling entry into compromised cloud systems for prices reaching tens of thousands of dollars in cryptocurrency. Figure 1 shows Infostealer Malware.

The targets included enterprise file synchronization and sharing platforms that are secure by design but depend on proper configuration. Without MFA and strong credential hygiene, these systems became easy targets. Affected organizations span multiple industries and regions, including engineering, defense, healthcare, aviation, transportation, and telecommunications.

Exposed data ranged from infrastructure blueprints and defense-related design files to medical records, aircraft maintenance documentation, and industrial control system data [1]. Additional victims included law firms, software providers, ISPs, and healthcare companies handling highly sensitive information.

Hudson Rock noted that the findings do not confirm breaches at all named organizations, as many have not issued public disclosures. However, the intelligence also shows that thousands of companies—including major enterprises and even government-related entities—have cloud access credentials currently circulating in infostealer logs, placing them at high risk.

To mitigate these threats, security experts recommend enforcing MFA across all cloud services, regularly rotating credentials, auditing for password reuse, and closely monitoring employee endpoints for infostealer infections.

References

1. https://cyberinsider.com/cloud-portals-at-50-global-firms-breached-by-infostealer-malware/

Cite this article:

Keerthana S (2026), Infostealer Malware Compromises Cloud Portals At 50 Global Companies, AnaTechMaz, pp.185