Penelope Iroko Table of Contents
Infostealer malware attacks enabled a single Iranian hacker to access sensitive data at roughly 50 companies, based on our analysis of Hudson Rock’s research. Using passwords stolen from infected endpoints, the actor authenticated to enterprise file-sharing services without friction. Weak or missing multi-factor authentication (MFA) turned valid logins into full data access.
Victims span airlines, robotics, healthcare, and transport suppliers, with stolen data advertised on dark web forums.
The attacker, operating as “Zestix” and “Sentap,” relied on RedLine, Lumma, and Vidar to exfiltrate browser-saved credentials and session cookies.
Infostealer Malware Attacks: What You Need to Know
- One operator reused stealer-harvested passwords against MFA-free accounts to raid 50 firms’ files.
- Bitdefender — Block infostealers and stop malware before credentials are stolen.
- 1Password — Replace browser-saved passwords with an MFA-enabled password manager.
- IDrive — Immutable backups to mitigate data-loss and extortion risks.
- Tenable — Identify exposed assets and close misconfigurations fueling credential attacks.
How the Breach Unfolded
The campaign did not use advanced exploits. Instead, infostealer malware attacks captured browser-stored passwords from users lured by fake downloads, cracked software, and malvertising. With valid credentials, the hacker authenticated to ShareFile, Nextcloud, and OwnCloud instances and pulled data at scale.
Most targeted accounts had no MFA. This was not a multi-factor authentication bypass. The second factor was simply missing, allowing straightforward logins with stolen secrets. As our guide to infostealers explains, reducing password exposure materially limits post-infection impact.
RedLine, Lumma, and Vidar remain pervasive via deceptive downloads and ad-based lures. They quietly lift saved passwords and session tokens, enabling rapid pivoting into cloud collaboration platforms.
For related tradecraft, see our coverage of malvertising-driven malware delivery and how AI accelerates password cracking.
Who Was Hit and What Was Stolen
The impact crossed sectors and regions. Iberia Airlines reportedly lost 77 GB of data, including aircraft safety manuals.
U.S.-based Pickett & Associates lost 139 GB, including maps of power lines and utility infrastructure. Turkey’s Intecro Robotics had designs for military drones and fighter jets listed for sale.
High-impact examples
Brazil’s Maida Health exposed 2.3 TB of medical records tied to military police via a Nextcloud instance. Through CRRC MA, internal plans for train brakes and signaling used by LA Metro were revealed.
Credentials linked to staff at Samsung, Walmart, and Deloitte appear in stealer logs, suggesting wider risk if reused or still-active credentials persist.
Iberia Airlines also suffered a separate, earlier breach attributed to the Everest ransomware group in November 2025, which leaked 596 GB of internal and customer data—underscoring compounding operational and reputational damage from repeated incidents.
The Role of Stolen Passwords and MFA Gaps
At their core, these were stolen password attacks. Many credentials were years old yet remained valid.
Without enforced MFA, they functioned as master keys across modern SaaS and storage systems. Password aging, reuse, and browser-based storage sustained exposure long after initial infection.
Why old credentials still work
Once infostealer malware attacks capture passwords, those secrets circulate in criminal markets for years. Without rotation or universal MFA, adversaries continually replay “old” data against new targets.
Threat actors blend stealer logs with social engineering; reducing initial infection risk requires better phishing defenses. Review our guidance on avoiding phishing attacks and consider vetted managers in our 1Password review.
What would have stopped it
Enforcing MFA would have blocked most logins immediately. There was no multi-factor authentication bypass; MFA was not required on many external accounts.
Regular password rotation, removal of stale identities, and access audits for ShareFile, Nextcloud, and OwnCloud would have narrowed exposure. Limiting browser-saved credentials on managed endpoints is equally important.
For context on the criminal economy monetizing these logs, see our overview of dark web risks.
Tracing the Attacker
The operator, believed to be an Iranian national using the handles “Zestix” and “Sentap,” is auctioning stolen corporate data on Russian-language forums, according to Hudson Rock.
This resale pattern mirrors a larger marketplace where infostealer malware attacks are weaponized at scale and combined with opportunistic credential replay.
Operational Implications for Enterprises and the Public
Comprehensive MFA across external and privileged services, coupled with strict password policies and limited browser credential storage, neutralizes the majority of stealer-enabled incursions.
Security training focused on fake downloads, cracked software, and ad-based lures directly reduces infection rates and downstream account takeover.
Adoption can be challenging. Legacy systems may complicate strong authentication rollouts, and employees often resist new login steps.
Yet the operational cost of inaction, data theft, business disruption, legal exposure, and reputational loss far outweighs the friction of modern identity controls.
- Tresorit — End-to-end encrypted file sharing to replace risky browser-stored credentials.
- EasyDMARC — Stop spoofed email that seeds stealer infections and account takeovers.
- Auvik — Network visibility to detect suspicious access and lateral movement.
- Optery — Remove exposed personal data that aids credential phishing and targeting.
Conclusion
This campaign shows how little it takes to breach global brands. Infostealer malware attacks paired with unenforced MFA and unrotated passwords enable quiet data theft at scale.
Organizations should audit every external-facing service for MFA coverage, revoke stale accounts, and ban browser-saved credentials. Validate that any passwords seen in stealer logs are rotated and protected with MFA.
Individuals should avoid pirated software, verify download sources, and use a password manager with MFA. When basic controls lapse, stolen password attacks quickly escalate into major breaches.
Questions Worth Answering
How did the hacker gain access without advanced exploits?
– They used browser-stolen passwords and logged in where MFA was not enabled.
Was this a multi-factor authentication bypass?
– No. MFA was largely absent, so no bypass technique was needed.
Which companies were affected?
– Iberia Airlines, Pickett & Associates, Intecro Robotics, Maida Health, and CRRC MA, among others.
What data was exposed?
– Aircraft safety manuals, utility infrastructure maps, medical records, and transport signaling documentation.
Which infostealers were used?
– RedLine, Lumma, and Vidar were cited as the primary malware families.
How can organizations prevent similar incidents?
– Enforce MFA, rotate passwords, limit browser-stored credentials, and harden access to collaboration platforms.
Why do attackers value old passwords?
– Many remain valid; without rotation and MFA, replayed credentials still unlock services.
About Hudson Rock
Hudson Rock is an Israeli cybersecurity firm focused on cybercrime intelligence and credential-theft research.
The company analyzes infostealer logs and criminal marketplaces to help organizations reduce identity-driven risk.
Findings in this case were published via its sister site, Infostealers.com, to accelerate remediation and awareness.
