Threat Intelligence firm Kela suggests that two new threat groups may be at least related if not the same actors.
Belsen is a new cybercrime group, emerging in early January 2025. Its first visibility came from leaking 1.6 GB of sensitive data (including IP addresses, configurations, and VPN credentials) from 15,000 FortiGate devices. The data is genuine and probably stolen by Belsen actors in 2022 exploiting CVE-2022–40684.
Threat intelligence firm Kela reports there may be connections to another group, known as ZeroSevenGroup and visible since July 2024. At that time ZeroSevenGroup claimed to have stolen 240 GB of data from Toyota (probably a US dealership) containing details of Toyota employees, customers, contracts, and financial information.
According to Kela’s analysis, ZeroSevenGroup specialized in leaking and selling stolen data from targets in Poland, Israel, the USA, UAE, Russia, and Brazil. It adds, “Since January 2025, they have been active exclusively on the Exploit Forum, where they re-emerged with a post offering C2 and VPN access to an Italian government entity, as well as companies in the US and Japan.”
Kela admits that its evidence for a connection between Belsen and ZeroSevenGroup is largely circumstantial, primarily based on styles. They are the only two groups using the same title format in their postings: “[ Access ] To…”. Furthermore, the structure of the posts is almost identical between the groups. This suggests the two groups, but only these two groups, are sharing or using the same posting template.
There are other hints, if not clues, found by Kela linking the groups. “Both groups appear to originate from Yemen, share an interest in network access sales, exhibit a similar writing style with recurring templates, and identify as part of a ‘group’, as reflected in their usernames.”
Kela confirms that it cannot definitively confirm a direct connection between the groups, but adds that the overlap it has found, “strongly suggests some level of affiliation or coordinated activity between the two groups.”
Related: Cyber Insights 2025: Cyber Threat Intelligence
Related: From Silos to Synergy: Transforming Threat Intelligence Sharing in 2025
Related: New Anubis Ransomware Could Pose Major Threat to Organizations
