The RaaS Pivot: Pro-Iranian Hacktivists Abandon Sicarii for the BQTLock Extortion Engine

Pro-Iranian ransomware syndicates are orchestrating a strategic pivot in their digital weaponry. Abandoning the Sicarii architecture, these factions have commenced a mass migration toward the BQTLock infrastructure. This exodus is accompanied by a fervent clarion call to sympathizers of pro-Palestinian and pro-Iranian hacktivist crusades, urging them to aggressively intensify the infection of target systems.

Forensic savants at the Halcyon Ransomware Research Center were the first to formally unmask this systemic transition. The sovereign administrator of Sicarii, operating under the cryptonym Uke B3 (Uke), conceded that their vanguard could no longer weather the torrential influx of petitions from affiliate operatives. Consequently, the Sicarii hierarchy has elected to rededicate its focus exclusively upon ideologically driven hacktivism, systematically redirecting its ransomware affiliates toward BQTLock—a platform functioning upon the Ransomware-as-a-Service (RaaS) paradigm.

In swift succession, the BQTLock syndicate promulgated via Telegram that their services would be provisioned entirely gratuitously to practicing hacktivists. This missive was explicitly broadcast to any operative possessing the fortitude to strike against the “Zionist entity.” Subject to the fulfillment of a few requisite stipulations, these digital marauders are empowered to wield the platform utterly devoid of financial tribute.

The BQTLock ransomware architecture was initially laid bare to the cybersecurity vanguard during the summer of 2025. Its genesis is inextricably linked to the pro-Palestinian hacktivists Liwaa Mohammad and Karim Fayad. The Liwaa Mohammad syndicate, operating under the stewardship of Karim Fayad (also known by the aliases ZeroDayX and ZeroDayX1), serves as a constituent faction within the sprawling Cyber Islamic Resistance coalition. BQTLock and Sicarii manifest as twain sovereign Ransomware-as-a-Service platforms, heavily patronized by operatives fiercely championing pro-Palestinian and pro-Iranian geopolitical narratives.

BQTLock ruthlessly orchestrates a paradigm of double extortion. The malefactors do not merely cryptographically seal the victim’s telemetry; they concurrently hold the purloined data hostage beneath the looming threat of public dissemination. The subterranean leak site of BQTLock is already adorned with the exfiltrated lifeblood of educational institutions and hospitality enterprises spanning the United Arab Emirates, the United States, and Israel. Within the encrypted channels of the Cyber Islamic Resistance, fervent discourse frequently turns to kinetic strikes directed against critical infrastructure and martial architectures. Via Telegram, they have promulgated highly sensitive artifacts, such as an allegedly purloined Israeli military database alongside a roster of purported operatives belonging to the Israeli intelligence agency, Mossad.

Concurrently, the hacktivist vanguard known as the Cyber Fattah Team, operating in synergistic communion with Liwaa Mohammad, actively partakes in these kinetic bombardments. The denizens of the Cyber Fattah Team boldly proclaim their weaponization of a fully functional React2Shell exploit. In the twilight of December 2025, the syndicate heralded a triumphant kinetic strike against an Israeli enterprise, leveraging the React2Shell architectural flaw to successfully deploy the BQTLock payload. To substantiate their triumph, they unveiled a digital capture depicting the invocation of a recognized demonstrative exploit. Curiously, the nomenclature of the besieged organization has yet to grace the BQTLock extortion portal. It is profoundly plausible that the afflicted enterprise capitulated and rendered the ransom prior to the publication of their telemetry, or alternatively, the malefactors simply elected to shroud the intelligence in continued secrecy.