belsen group

ransomware group

aka Belesn Group. <br/>Belsen Group emerged in January 2025 as a data broker and leak-focused threat actor, not engaging in ransomware encryption. Their first major action involved publishing sensitive configuration files, VPN credentials, and IP addresses for over 15,000 Fortinet FortiGate firewalls—data likely stolen through exploitation of CVE‑2022‑40684. The group began by sharing the data freely to establish credibility, before shifting to monetized access and offering sales of network access to high-value targets such as major banks and an East African airline. Their activities place them firmly in initial access brokerage, targeting confidential infrastructure details for sale.