Overview:
Recent reporting by HudsonRock highlights a growing and relatively underappreciated cyber risk to the aerospace and satellite industries: the exploitation of corporate file transfer and collaboration platforms using credentials harvested by infostealer malware. These incidents demonstrate how financially motivated threat actors can translate seemingly low-level credential theft into high-impact compromises involving sensitive satellite and defense-related data. The campaign attributed to the Sentap-affiliated actor “Zestix” illustrates how weaknesses in identity security, rather than advanced exploitation, continue to enable serious operational exposure.
About the Threat:
On January 5, 2026, cybersecurity firm HudsonRock reported that dozens of global organizations had been compromised through cloud credentials originating from infostealer infections. These compromises were attributed to a threat actor tracked as Zestix, assessed to be affiliated with the financially motivated cybercriminal group Sentap, which operates as an initial access broker (IAB). Open-source reporting links Sentap to approximately 50 high-profile data breaches spanning late 2024 through 2026.
HudsonRock specializes in tracking infostealer malware ecosystems and has previously documented widespread infections affecting high-security environments, including the U.S. Government and the Defense Industrial Base (DIB). In a February 2025 publication, HudsonRock characterized infostealers as a “cybersecurity disaster in the making,” particularly for defense contractors and space-sector organizations that rely heavily on cloud-based collaboration platforms. The January 2026 reporting builds on this assessment by demonstrating how stolen credentials are operationalized in real-world attacks.
Campaign Overview:
According to HudsonRock, Zestix was observed selling data exfiltrated from corporate file sharing portals belonging to approximately 50 major global organizations. Notably, victims included a Turkish aerospace manufacturer and an Indonesian satellite operator. The compromised data sets reportedly contained sensitive military intellectual property and confidential satellite program documentation, including technical materials associated with prominent defense primes.
The intrusions did not rely on zero-day vulnerabilities or advanced exploitation techniques. Instead, attackers leveraged valid credentials obtained from infostealer malware infections to authenticate directly to corporate file sharing platforms such as ShareFile, OwnCloud and Nextcloud. These platforms are widely adopted across the aerospace, satellite and defense supply chain due to their support for large file transfers, external partner access and distributed engineering workflows.
Once authenticated, threat actors were able to enumerate repositories, download sensitive documentation and package the data for resale. In effect, trusted enterprise infrastructure was transformed into an exfiltration mechanism—without triggering many traditional security controls.
Infostealers as an Enabling Capability:
Infostealers are a class of malware designed specifically to harvest credentials, browser session tokens, cookies and stored authentication data from infected systems. Common families such as RedLine, Lumma and Vidar infect both personal and corporate devices, often through phishing, malicious downloads or trojanized software.
The scale of this threat is significant. According to Flashpoint’s 2025 Global Threat Intelligence Report, infostealer malware infected more than 23 million devices and facilitated the theft of over 2.1 billion credentials in 2024 alone. These credentials are frequently aggregated into underground marketplaces and data dumps, where they may remain unused for extended periods. In 2025 so far, Infostealers.com reports over 17,000 compromised machines and 4,000 compromised users.
A key finding from the HudsonRock investigation is the temporal persistence of risk: While some credentials used by Zestix originated from recent infections, others had been exposed years earlier and were only later weaponized. This highlights that credential compromise is not a point-in-time event, but a long-lived vulnerability that can be exploited opportunistically as access needs arise.
Operational and Sector-Specific Impact:
For the satellite industry, these incidents demonstrate how cyber risks extend beyond traditional IT concerns and into operational, programmatic and strategic domains. File transfer platforms may often be used to host satellite design documentation, information about system architectures, ground segment configurations, interface specifications, supplier and partner deliverables and other test data and planning artifacts.
Unauthorized access to this information can enable intellectual property theft, competitive intelligence collection or downstream targeting of satellite networks and supply chains. Importantly, these risks are not confined to nation-state actors as financially motivated groups have increasingly demonstrated the capability and intent to monetize sensitive aerospace data.
