BQT.Lock cyberattack group

The BQT.Lock cyberattack group also known as BaqiyatLock cyberattack group is a ransomware group that came publicly known in mid 2025. The group that operates from the Middle East and led by Karim Fayad an ransomware as a service (RaaS) platform, it is a provider of ransomware tools to other attackers. According to sources the group blends financial extortion with ideological motives linked to Hezbollah and to Iranian state linked cyber activities.^[1][2]

History and emergence

First reports about BQT.Lock in underground forums and Telegram channels emerged around July 2025. Early attacks mainly targeted U.S. companies, including eFunda, Inc. In late 2025, cybersecurity companies reported that BQT.Lock was using a ransomware as a service (RaaS) model. This model offers different subscription levels and shares profits with its partners. The group uses TOR based leak websites, Telegram bots, and Dark web accounts to operate. They ask for ransom payments in Monero (XMR), usually between 13 and 40 XMR for each attack wave. The ransom increases if victims want faster file recovery.^[3][4][5]

According to analyses trace variants evolving through 2025, incorporating data exfiltration via Discord webhooks and credential theft from browsers. OSINT reports highlight its rapid growth, with claims of hundreds of encryptions across the US, India, Saudi Arabia, UAE, and Israel.^[6][2][1]

Affiliations

According to reports from cybersecurity sources and Israeli research groups claim that BQT.Lock may be connected to Hezbollah’s online operations. They describe the group as a mixed actor that raises money for militant activities by using ransomware. Karim Fayad is identified as the leader behind the group. He is said to have links to Hezbollah’s Imam al-Mahdi Scouts and has previously been involved in pro-Palestinian hacking activities. Online channels such as t.me/BQTlock and x.com/zerodayx1 share technical information along with political messages that reflect Hezbollah’s views.^[7][3]

The cyberattack group operated differently than purely criminal RaaS like LockBit, BQT.Lock prioritizes targets aligned with geopolitical foes, including Israeli infrastructure (Ben Gurion Airport, Bezeq, Partner, Rafael, Elbit) and Gulf states. This fusion of cybercrime and militancy distinguishes it within the ransomware ecosystem.^[8][2]

Technical profile

Malware tactics

BQT.Lock ransomware targets Windows systems, using hybrid AES-256/RSA-4096 encryption and appending ".bqtlock" to files. It employs process hollowing via File Explorer, creates backdoor accounts like "BQTLockAdmin," and disables defenses (shadow copies, security tools) through API calls and boot manipulation.^[9][10]

Before encrypting files, the attackers first study the network to see what is there. They then move through the system using tools like SMB and PsExec. During this stage, they steal data from browsers such as Chrome, Firefox, Edge, and others. The malware also creates log files, such as bqt_log.txt, which record what actions were taken. These logs help analyze the attack after it happens.^[9][11]

Infrastructure

• Leak site: Tor onion (yywhylvqeqynzik6ibocb53o2nat7lmzn5ynjpar3stndzcgmy6dkgid.onion)​.^[3]
• Communication: Telegram (t.me/BQTlock, t.me/ZeroDayX1), BreachForums (zerodayx1), X (zerodayx1)​.^[3]
• Wallet: Monero addresses for payments​.^[3]
• Tools: BAQIYAT.osint for stolen data searches.^[3]

Response and detection

Firms like K7 Labs, SOCPrime, and Cynet provide IOCs, YARA rules, and behavioral detections for BQT.Lock variants. No public decryptors exist, emphasizing backups and EDR tools for mitigation. Law enforcement scrutiny focuses on its militant ties amid 2025's heightened Middle East cyber tensions.^[12][11]

See also

• Ransomware
• Ransomware as a service
• Cybercrime