Skip to main content
Mallory
Back to threat actors

Belsen Group

Also known asBelsen Group

Belsen Group is a cybercriminal initial access broker and leak actor associated with large-scale compromise of Fortinet FortiGate devices. The group gained notoriety for leaking configurations from over 15,000 compromised FortiGate firewalls, with reporting stating that a 2022 zero-day was used to dump the configurations and that the data was published later in 2025. Reporting also states the group offered remote code execution/network access to victims, including advertised access to the “largest energy company in North Africa,” and that it transitioned from publishing exposed data to directly monetizing corporate network access for thousands of dollars. In the provided content, Belsen Group is specifically linked to FortiGate configuration leaks, resale of high-value access, and broader access-broker activity. No additional aliases or sub-groups are identified beyond the name Belsen Group.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics5 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1190
Exploit Public-Facing Application
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
thecybersecguruNews
Jun 17, 2026
FortiBleed: How 75,000 Fortinet Firewalls Were Silently Compromised in 2026 | The CyberSec Guru

Referenced as a group that published a prior batch of leaked Fortinet credentials tied to a 2022 zero-day, providing historical credential material later reused in the FortiBleed campaign.

Read more
doublepulsarNews
Jun 17, 2026
FortiBleed - 75k Fortinet firewalls have admin passwords cracked | by Kevin Beaumont | Jun, 2026 | DoublePulsar

Associated with a prior incident in which a 2022 zero-day was used to dump Fortigate firewall configurations, later published in 2025.

Read more
outpost24 blogNews
Jan 6, 2026
KrakenLabs Research Highlights 2025: The Shifts That Redefined the Threat Landscape

Initial Access Broker (IAB) specializing in monetizing access to corporate networks by compromising edge devices, notably Fortinet FortiGate appliances.

Read more
resecurity blogNews
Apr 15, 2025
Resecurity | Cyber Threats Against Energy Sector Surge as Global Tensions Mount

Illicit access broker/data broker group selling network access (including claimed RCE) to energy-sector targets; associated with large-scale FortiGate configuration leaks.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.