Discovery the BQTLock Ransomware

Dos-Op

9 min read
Discovery the BQTLock Ransomware
Discovery the BQTLock Operators

Today’s investigation uncovers the individuals and operations behind the ransomware group BQT.Lock (also known as BaqiyatLock).

This group, active in ransomware-as-a-service (RaaS) operations, claims responsibility for compromising and encrypting over 540 servers across the United States and beyond. In addition to ransomware deployment, BQT.Lock is heavily involved in selling hacking tools and developing underground platforms that sustain the broader cybercriminal ecosystem.

One of the key figures tied to BQT.Lock, operating under the alias ZeroDayx1, has been linked to multiple high-impact breaches. These include the exposure of 12,000 Indian medical records connected to Hygeia, a breach of Kalad Mining & Logistics (kalad.com.sa) - a Saudi-based contractor and the encryption of servers belonging to EPS FUJ Private School and Adore UAE on June 25, 2025, where he demanded 116 XMR in ransom. On October 4, he unveiled BQTLock V5, a new iteration of the ransomware-as-a-service platform.

Intelligence sources and social-media evidence further suggest that ZeroDayx1 is a supporter and officer within Hezbollah, specifically affiliated with the Imam al-Mahdi Scouts - the youth organization known to operate under the group’s influence. This connection indicates potential ideological motives beyond financial gain and raises questions about the intersection of cybercrime and political extremism.

Behind these operations lies a growing number of victims - from medical institutions and schools to private corporations - with vast amounts of sensitive and personal data now exposed. The activities of BQT.Lock therefore represent not only a significant operational threat to global cybersecurity but also a concerning overlap between hacktivism, cyber-warfare, and organized crime

The administrator of BQT, who operates under the alias ZeroDayX1 on Twitter (X), openly takes pride in these activities. By analyzing his profile and social presence, we began to identify his agenda, target preferences, and ideological motivations.

Further exploration of his Telegram networks revealed that “Baqiyat” is not only the name of the ransomware but also the brand of a wider platform ZeroDayX1 is attempting to build. This ecosystem extends into the dark web, where multiple channels are dedicated to hacking tool sales, coordination, and propaganda.

Many of these channels display a clear ideological alignment, with content supporting jihadist narratives and Hezbollah leaders. They also include multiple claims of cyberattacks against Israeli organizations. While mainstream media reports have not highlighted significant incidents, our monitoring suggests these attacks may be minor or localized.

Globally, however, we observe that ZeroDayX1 and his affiliates are developing and deploying automated tools for cyberattacks. These tools may be used directly by the group or sold to third parties willing to pay in Monero (XMR), creating a dual model of ransomware operations and cybercrime-as-a-service.

I saw post about a new ransomware that security researchers are starting to post about like the one below.

When the ransomware operator realized the attention his activities were receiving, he reacted in a way that is highly unusual compared to other ransomware groups.
Instead of remaining silent or issuing a standard threat, his response carried a tone of frustration feeling mocked or disrespected. The community ridiculed him for leaving behind extensive evidence on infected machines, which exposed his operations.

Ironically, those same logs left unintentionally or through poor operational security became a valuable resource for security researchers. They not only documented the sequence of actions taken on compromised systems but also provided opportunities to better understand the attack chain. In some cases, analysts were even able to attempt reconstructing or extracting encryption keys from the traces he left behind.

This behavior highlights a critical weakness: while the actor has ambitions to appear sophisticated, his mistakes have created openings for defenders to investigate and potentially mitigate the impact of his ransomware.

At this stage, it became clear that the profile in question may be directly connected to the ransomware campaign.
We therefore began to investigate the Twitter (X) account operated under the alias “ZeroDayX1.” The name may sound impressive, but the real question is: who is behind it?

By analyzing recent posts, it appears that the operator is actively promoting his platform on Twitter not only sharing propaganda but also exposing fragments of information that could serve as potential leads. Some of these posts even contained data points that, if carefully cross-referenced, may assist in tracking the true identity of the operator.

with explorer the posts we read alot about the target and we collect multimulti channels sources usernames, phohots, and more... and we start inestage the Telegram the actor activity extends dar beyond after We identified multiple channels directly promoting RaaS (Ransomware-as-a-Service) offerings, dark web portals granting access to searchable datasets from stealer logs, and various marketplaces for hacking tools. These resources collectively support the execution of cyberattacks and lower the barrier of entry for other criminals.

Alongside the cybercrime infrastructure, the channels also host a significant amount of propaganda content, particularly glorifying Hezbollah leaders and the Iranian regime. The admiration and respect expressed toward these terrorist entities appear genuine and consistent, rather than opportunistic.

While connections between criminal groups and terrorist organizations are not unusual, they are often pragmatic and transactional—focused on financial or operational benefit. Here, however, we observe something different: a deep ideological alignment, with rhetoric suggesting possible affiliation with, or direct influence from, units or individuals operating at a higher level of coordination.

who is "ZeroDayX1"?

our first hint is the old names changed by ZeroDayX1 in Telegram and we can see the first name in Oct 31 set on "Karim Fayad" remmber this name, we start mapping list of pepole can be our target first we can now know the name but how much Karim Fayad exists in world? just explorer...

Know Dealites:

💡
Know as - ZeroDayX1, BQT.Lock, theelulzsec, lulzsec_fr, zerodayx_
💡
Name - Karaim Fayad
💡
OS - IOS/Windows with wsl
💡
Location - Lebanon Beirut / France
💡
Hint Email - k*******4@gmail.com

We then found another account called "kariimFayad". With shared followers, this account claims to be a member of a professional red team operator. You can see clear support for Hezbollah, and the name matches the name in the Telegram history. And they follow each other. Is it a coincidence? I don't think so.

We then found another match, which gives us definite confirmation, and it is several photos of his upper body that revealed tattoos on his body, including a tattoo of the former Hezbollah leader on his right arm. We took this photo on the personal account of "Karim Fayad".

And not surprisingly with poor OpSec, he uploaded photos on social media that reveal our tattoos, an identifying detail that is difficult to replace or change, but even that was not necessary because the photos are exactly the same as the photos on the personal profile and censored photos uploaded to the networks. The following photos were seen on the Telegram channel and Twitter account of ZeroDayX1 and at the same time on the personal account of "Karim Fayad"

image of tatto from telegram/Twiiter chats

And bingo, the same tattoo, and the same watch. The deeper we delve into the profile, the more matches we find linking ZeroDayX1's identity to the real identity of the operator of a new ransomware group that is attacking a number of small organizations, across Europe and US.

Social Media Posts

If that's not enough, a photo posted online reveals a lot, from the ideology to the true identity that is being of ZeroDayX1

Soical Media Posts

Another partner of Karim "Fuch0u" was revealed to be "Miriam Lebanon", and the c2 server hosted in 92[.]113[.]146[.]56

c2 server & PII Phone Number

what we were able to understand, ZeroDayX1 name is Karim Fayyad, lives in southern Lebanon, loves to ride horses, is a Hezbollah activist, a member of the resistance, apparently a coordinated operation, to build a cybercrime empire similar to the drug empire built by Hezbollah in South America. In addition, we identified another partner from Lebanon, identified as Miriam, and other associates appear as martyrs in Karim profile, with pictures of them hugging and visiting the graves of Hezbollah activists.

meet the karim fayad

Karim Fayyad is leading a double life. He proudly boasts about attacking American organizations through his account zerodayx1, promoting terror and serving as an officer in the Hezbollah Scouts (Imam al-Mahdi Scouts), educating the next generation in hate and violence.

Meanwhile, on LinkedIn, he claims to have studied computer engineering at the American University of Beirut and works for CME - a technology partner with over 40 years of experience modernizing systems, scaling AI, and powering Fortune 500 brands for 80M+ daily users worldwide, with 90%+ client retention. No one knows what level of data access he has while working there.

The American University of Beirut subsidizes education and has been reported to have ties with Hezbollah (as noted in a 2017 Times of Israel article).

Here Karim Fayad is shown in the picture below at an event by Google Developer Groups, in American University of Beirut about build with Al 2025, he also like this post... "don’t spit in the well you’re drinking from”

event in AUB with Karim Fayad

Device: iPhone IOS
OS: windows/wsl
Names: Karim Fayad/Karim B. Fayyad Al-Ali/كريم ب. فياض العلي
Phone: +96170099464,(Marima Parnter:+9613045411)
Facebook:
https://www.facebook.com/mirza313K - (ID: 100048199904896)
linkedin:
https://www.linkedin.com/in/karim-fayad-a79450346/
instagram:
https://www.instagram.com/karimf01
https://www.instagram.com/kariimfayad
https://www.instagram.com/zerodayx_
https://www.instagram.com/rootusser
Twitter (X):
https://x.com/zerodayx1
https://x.com/anonlb_
BreachForums:
https://breachforums.is/User-zerodayx1
Telegram:
https://t.me/liwaamohammad
https://t.me/ZeroDayX1
https://t.me/Fuch0u
https://t.me/BQTlock_raas

For the full research with Alma click the link below

Special Report: One Year Since the Ceasefire in Lebanon – The Israeli Thwarting Effort Against Hezbollah’s Reconstruction Effort
Today, November 27, 2025, marks one year since the ceasefire with Hezbollah in Lebanon. Since the agreement went into effect, the IDF
Alma Research and Education CenterAlma Research

As promised, we will continue to deliver in-depth research dedicated to uncovering the truth.