Threat Actor Profile

Alias: Zestix

First Observed: December 01, 2025

Motivation: Financial / Data Brokerage

Target Sector: Automotive, Legal Services, Supply Chain

Operational Model: Data Theft and Resale (Non-Ransomware)

Marketplace Activity: Dark Web Forums

Incident Overview: Mercedes-Benz USA

On December 01, 2025, Zestix claimed responsibility for a significant data breach targeting Mercedes-Benz USA (MBUSA). The actor posted an advertisement on a dark web forum offering 18.3 GB of exfiltrated data for a fixed price of $5,000 USD.

Exfiltrated Data Volume

• Total Size: 18.3 GB
• Scope: Legal department records, customer databases, and vendor workflows.
• Geographic Reach: Litigation files covering 48 U.S. states.

Tactics, Techniques, and Procedures (TTPs)

Initial Access Vector: Legal Supply Chain

Technical analysis of the leaked dataset indicates the breach likely originated outside the primary corporate infrastructure of Mercedes-Benz. The attack vector appears to be a third-party compromise targeting the legal supply chain.

• Targeting: External legal vendors and law firms processing warranty claims.
• Focus: Systems managing Magnuson-Moss Warranty Act and Song-Beverly Consumer Warranty Act cases.
• Method: Exploitation of shared document repositories or compromise of third-party legal practice management software.

Data Reconnaissance and Staging

The actor demonstrated specific interest in high-value corporate intelligence rather than bulk encryption.

• Data Selection: Prioritization of “defensive strategy” documents and “outside counsel billing rates.”
• File Types: Extraction of .docx (templates/forms), .pdf (executed contracts/court filings), and internal workflow logs.

Monetization Strategy

Unlike ransomware groups that demand extortion fees for non-disclosure, Zestix operates as a direct seller.

• Pricing Model: Low-entry fixed price ($5,000) suggests a volume-based sales strategy or an intent to quickly offload data.
• Distribution: Direct peer-to-peer sale via forum escrow services.

Technical Indicators

Data Artifacts & Keywords

The following specific document types and file headers have been identified within the exfiltrated cache:

• Document Headers: “New Vendor Questionnaire”
• Content Markers: Banking details, routing numbers, SWIFT codes associated with legal vendors.
• File Naming Conventions: Patterns related to case numbers (e.g., [CaseID]_Settlement_Policy.pdf, MBUSA_Defense_Strategy_[State].docx).

Behavioral Indicators

• Forum Activity: The actor utilizes the handle “zestix” exclusively on specific underground marketplaces.
• Communication: No public extortion site (leak site) is used; communication is confined to forum private messaging and encrypted chat protocols.

Impact Assessment

Litigation Exposure

The breach compromised sensitive legal work product, including:

• Settlement Policies: Internal thresholds for settling consumer warranty disputes.
• Defensive Strategies: Playbooks used by outside counsel for active litigation.
• Billing Data: Confidential rates and financial agreements with external law firms.

Secondary Attack Vectors

The exposure of “New Vendor Questionnaire” forms creates immediate downstream risks:

• Business Email Compromise (BEC): Threat actors may utilize exposed vendor banking details and internal templates to construct high-fidelity phishing campaigns targeting accounts payable departments.
• Vendor Fraud: Impersonation of established legal vendors using valid internal workflows and document formats.