In a groundbreaking analysis, cybersecurity firm KELA reveals striking parallels in operational style, target selection, and online presence that suggest a possible connection between two Yemen-linked threat actors: the recently surfaced Belsen Group and the long-standing ZeroSevenGroup.
Who Is the Belsen Group?
The Belsen Group made its debut in early January 2025 via a post on BreachForums under the handle Belsen_Group, announcing the leak of 1.6 GB of sensitive data harvested from over 15,000 vulnerable Fortinet FortiGate firewalls.
The exposed information included IP addresses, device configurations, and VPN credentials, all obtained by exploiting the critical CVE-2022-406841 authentication bypass flaw.
By initially offering the dataset for free, the group rapidly established credibility within the cybercrime underground. Shortly thereafter, Belsen_Group launched a dedicated TOR-based blog and began selling network access to victims across Africa, North America, and Asia.
From the outset, Belsen_Group has maintained a diversified set of contact channels—Tox, XMPP, Telegram, and X—while mirroring victim listings across BreachForums, Twitter, and its onion site.
The group’s Twitter account, created January 10, 2025, replicates the breach announcements and lists a partially redacted Gmail address for registration.
Only once, in a BreachForums post and on Twitter, did they share a Telegram contact: @BelsenAdmin (ID 6161097506). OSINT links this user, registered in 2023 under the name “K Y,” to former handles @m_kyan0 and @mmmkkk000000.
Analysis of the account’s subscriptions reveals ties to cybersecurity certification channels, adult-themed groups, regional Arabic forums in Yemen, and even an anime discussion page.
A recent @BelsenAdmin message on Telegram also solicited information about the eWPTX certification course, underscoring the actor’s breadth of interests.
Who Is the ZeroSevenGroup?
ZeroSevenGroup has been active since July 2024, initially posting on NulledTo before expanding to BreachForums, CrackedTo, and Leakbase.
The group specialized in leaking stolen databases and network accesses, focusing on companies in Poland, Israel, the USA, UAE, Russia, and Brazil.
Early leaks were free, but by late 2024 they monetized their operations by selling larger datasets via Terabox and Mega.
In August 2024, ZeroSevenGroup claimed responsibility for breaching Toyota’s US branch and leaking 240 GB of data—an incident Toyota briefly downplayed before acknowledging a third-party compromise.
By November 2024, ZeroSevenGroup faced allegations of defrauding the Medusa Ransomware collective by peddling obsolete or counterfeit network credentials.
After a brief lull, the group re-emerged in January 2025 on Exploit Forum, offering C2 and VPN access to an Italian government entity as well as targets in the US and Japan.
KELA’s investigation traced their earliest July 2024 activity to a unique password used to lock leaked files, which linked back to an email address and an infostealer-infected host—both tied to Yemen and to a member of the Yemen Shield hacking group.
Additional evidence traced the group’s origins to RaidForums, where they operated as “ZeroXGroup” under the username zerox296.
Evidence of Possible Connection
KELA analysts identified several compelling overlaps between Belsen_Group and ZeroSevenGroup.
Both entities employ the identical post-title format “[ Access ]” with square brackets and spaces, and their announcements feature near-verbatim phrasing and structural templates.
A targeted search for a distinct combination of keywords on KELA’s platform surfaced results exclusively tied to these two actors. Moreover, a review of their Twitter activity revealed a consistent pattern of #hack hashtag usage.
Geolocation indicators also point to Yemen as a shared base, with both groups demonstrating expertise in network access sales and leveraging similar communication infrastructures. The consistent use of the term “Group” in their handles further underscores a possible branding strategy.
While these findings fall short of irrefutable proof, the convergence of stylistic, technical, and infrastructural markers suggests at least some degree of affiliation or shared resources between the Belsen Group and ZeroSevenGroup.
Cybersecurity professionals should monitor both entities for coordinated campaigns and assess whether the exploitation of long-dormant vulnerabilities like CVE-2022-406841 signals deeper, more persistent access capabilities.
Understanding this potential collaboration could prove critical in anticipating future attacks and strengthening defensive postures against Yemen-linked cybercriminal networks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
