Zestix

Zestix, also known as Sentap, is a financially motivated threat actor described as an initial access broker (IAB) operating on dark web and Russian-language cybercrime forums. Reporting links Zestix/Sentap activity to at least 2021, with the persona emerging prominently in late 2024 or early 2025. The actor has been observed auctioning and selling stolen corporate data and access from approximately 50 organizations. The activity is consistently described as credential-driven rather than exploit-driven. Zestix used credentials harvested by infostealer malware including RedLine, Lumma, and Vidar, often from infected employee devices, and then accessed enterprise file-sharing and collaboration platforms such as ShareFile, ownCloud, and Nextcloud using valid accounts. Multiple sources state the intrusions did not rely on software vulnerabilities or zero-days; lack of multi-factor authentication, poor credential hygiene, long-lived passwords, and failure to invalidate sessions were key enablers. Some credentials had reportedly been present in infostealer logs for years before use. Zestix has targeted organizations across multiple sectors, including aviation, defense, healthcare, utilities, mass transit, telecommunications, legal, real estate, government, aerospace, engineering, robotics, and finance. Mentioned victims include Iberia, Pickett & Associates, Intecro Robotics, Maida Health, CRRC MA, K3G, NMCV Business LLC, CiberC, Sekisui House, Burris & Macomber, Pan-Pacific Mechanical, Bradley R. Tyer & Associates, The Providence Group, Australian NBN, and UrbanX.io. Reported stolen data includes health records, government contracts, engineering blueprints, defense project files, legal documents, financial archives, aircraft maintenance and safety documentation, utility maps, transit schematics, and other sensitive corporate files. The actor is described as exfiltrating victim data and selling both the data and access to compromised systems, sometimes with proof-of-access screenshots. Hudson Rock is the primary reporting source in the provided content. Several items in the content state the actor is believed to be an Iranian national, and some reporting notes claimed links to the FunkSec group, but those points are presented as reported attribution rather than established fact.