20260105-bleepingcomputer.com-adf89

< Back to index

Cloud file-sharing sites targeted for corporate data theft attacks

Published:

5 January 2026 at 22:52:16

Alert date:

5 January 2026 at 23:02:21

Source:

bleepingcomputer.com

Cloud & Virtualization, Data Breach & Exfiltration, Ransomware & Malware, Enterprise Applications

Threat actor Zestix has been targeting cloud file-sharing platforms including ShareFile, Nextcloud, and OwnCloud to steal corporate data from dozens of companies. The actor is offering stolen corporate data after successfully breaching these cloud storage instances. This represents an active campaign targeting widely-used enterprise file-sharing solutions.

Technical details

Threat actor Zestix operates as an initial access broker selling corporate data stolen from ShareFile, Nextcloud, and OwnCloud instances. Initial access obtained through credentials collected by info-stealing malware (RedLine, Lumma, Vidar) deployed on employee devices via malvertising or ClickFix attacks. Attackers parse infostealer logs for corporate cloud URLs, then use valid credentials to access file-sharing services lacking MFA protection. Stolen credentials found in criminal databases for years, indicating failure to rotate credentials or invalidate active sessions. Data volumes range from tens of gigabytes to several terabytes including sensitive corporate, government, and infrastructure data.

Mitigation steps:

Implement multi-factor authentication (MFA) on cloud file-sharing platforms
Regularly rotate credentials for cloud services
Invalidate active sessions after extended periods
Monitor for infostealer infections on employee devices
Implement security awareness training regarding malvertising and ClickFix attacks
Review and audit access to corporate cloud platforms
Monitor for unauthorized access to file-sharing services

Affected products:

ShareFile
Nextcloud
OwnCloud
RedLine infostealer
Lumma infostealer
Vidar infostealer