Request a Demo
English 日本語 Français Español Deutsch
Get a Demo
English 日本語 Français Español Deutsch
Zestix Threat Actor Profile | TTPs, Victims, and Breach Activity
Zestix
  • Table of contents

The author

user_image
Gemma Goldstein
Marketing Manager
Share on LinkedIn

I love to get stuck in and let the creative juices flow. My strengths lie in idea generation, development and execution. Over 5 years experience in B2B cybersecurity. I reign supreme when my imagination and creativity can run wild.

Table of contents

Related Articles

Copilot Leaks
Dark Web

CoPilotLeaks: A Look at the Threat Actor’s TTPs, History and More

CopilotLeaks - Nov 25 - DarkForums CopilotLeaks Christmas 2025 - Telegram
Dec 29, 2025
Learn more
Scattered Spider
Dark Web

Meet Scattered Spider: The Group Currently Scattering UK Retail Organizations

Scattered Spider, is a threat actor group motivated by financial gains and has been actively...
Oct 5, 2025
Learn more
Dark Web

Zestix Threat Actor Profile | TTPs, Victims, and Breach Activity

Dec 29, 2025

Introduction

Zestix is identified as a criminal threat actor primarily motivated by personal gain. The actor first emerged in September 2025 and operates at an intermediate resource level, functioning as an individual. Zestix has been involved in significant data breaches, notably targeting organizations in the transportation and government sectors.

Victimology

Zestix has targeted various industries, including:

  • Transportation: The actor claimed a breach of a major Spanish airline, resulting in the theft of 77GB of sensitive data.
  • Government: The Brazilian military police were compromised through a third-party vendor, a healthcare company, leading to the theft of over 2TB of data, including sensitive medical records.

Regions affected by Zestix’s activities include:

  • Spain: Specifically, the breach of a spanish airline.
  • Brazil: Targeting the Brazilian military police and associated healthcare data.

TTPs (Tactics, Techniques, and Procedures)

Key attack patterns associated with Zestix include:

  • Data Exfiltration: The actor has demonstrated capabilities in extracting large volumes of sensitive data from compromised systems.
  • Third-Party Vendor Compromise: Zestix exploited vulnerabilities in third-party services, as seen in the breach involving Maida Health.
  • Accessing Internal Systems: The actor successfully gained access to internal servers of targeted organizations, indicating a sophisticated understanding of network security.

Community Presence

Zestix is active on forums, particularly on forum.exploit.in, where the actor engages in discussions related to cybersecurity techniques and data leaks. The actor has shared insights on bypassing security measures and has posted details about data leaks from various organizations, including a major Spanish Airline and a health company. Communication appears to be facilitated through platforms like qTox, where Zestix has shared user IDs for contact.

Recently Zestix has also been very active on Breach Forums

Zestix on forum.exploit.in
Zestix on BreachedForums
Zestix on Breached Forums

About Check Point External Risk Management (formerly Cyberint)

Check Point’s External Risk Management solution is built to uncover threats before they cause damage. By continuously monitoring forums, credential abuse, and chatter across the open, deep and dark web, the team can detect campaigns in their earliest stages. The platform’s ability to correlate indicators across multiple clusters—ads, domains, Telegram activity, and more—helps link disparate attacks to a single network. That’s how we move fast, disrupt infrastructure, and protect organizations.

Schedule Your Demo Now

Solutions Home

Resources

Company

YOU DESERVE THE BEST SECURITY™

©1994–2026 Check Point Software Technologies Ltd. All rights reserved.

Copyright | Privacy Policy | Cookie Settings | Get the Latest News

Follow Us

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start