Full Report
The Halcyon Ransomware Research Center observed a call to action for pro-Palestinian and pro-Iranian regime operators to move ransomware activity from Sicarii ransomware to Baqiyat 313 Locker also known as BQTlock ransomware. The Sicarii administrator stated they were unable to keep up with the influx of affiliate requests. Sicarii plans to focus on expanding its hacktivism influence, and it is redirecting ransomware operators to the BQTLock Ransomware-as-a-Service (RaaS). BQTLock emphasizes political messaging and fosters pro-Palestinian ideological motives. The ransomware has primarily targeted United Arab Emirates, United States, and Israeli-based organizations since its inception in July 2025.
Analysis Summary
# Threat Actor: Cyber Islamic Resistance (BQTLock / Sicarii)
## Attribution & Identity
* **Actor Identification:** A pro-Palestinian and pro-Iranian hacktivist collective operating under the banner "Cyber Islamic Resistance."
* **Key Individuals:**
* **Liwaa Mohammad:** Developer and operator.
* **Karim Fayad:** (Aliases: **ZeroDayX**, **ZeroDayX1**) Lead of the Liwaa Mohammad group.
* **Уке Б3:** (Alias: **Uke**) Administrator of the Sicarii RaaS.
* **Associated Groups:**
* **Liwaa Mohammad Hacktivist Group** (Core unit)
* **Cyber Fattah Team** (Collaborators focused on initial access)
* **Sicarii Ransomware:** A separate but allied RaaS platform now serving as a funnel for BQTLock.
## Activity Summary
In early 2026, a strategic consolidation was observed as the Sicarii administrator (Uke) directed all affiliates to migrate to the **BQTLock** (Baqiyat 313 Locker) RaaS due to scaling issues. BQTLock has transitioned from a standard RaaS model to offering "Free RaaS" to any hacktivists capable of targeting Israeli entities. Since late 2025, the group has moved beyond financial extortion to leaking sensitive military databases and intelligence personnel lists.
## Tactics, Techniques & Procedures
* **Exploitation of N-Day Vulnerabilities:** Weaponization of **CVE-2025-55182 (React2Shell)**, a critical unauthenticated RCE in React Server Components.
* **Double Extortion:** Encrypting data while simultaneously threatening to publish sensitive information on a dedicated leak site (DLS).
* **Ideological Recruitment:** Using Telegram channels to recruit "volunteer" affiliates by waiving standard RaaS fees in exchange for specific national targeting.
* **Information Operations:** Leaking military databases and "Mossad agent lists" to garner media attention and political influence.
* **MITRE ATT&CK Mapping:**
* T1190: Exploit Public-Facing Application (React2Shell)
* T1486: Data Encrypted for Impact
* T1659: Content Dissemination (Hacktivism/Telegram)
## Targeting
* **Sectors:** Hospitality, Education, Critical Infrastructure, Military, and Government.
* **Geography:** Primarily Israel, United Arab Emirates (UAE), and the United States.
* **Victims:** Israeli military personnel and Mossad (alleged database leaks); unnamed Israeli-based organizations; various hospitality/education entities in the UAE and US.
## Tools & Infrastructure
* **Malware Families:**
* **BQTLock** (Baqiyat 313 Locker)
* **Sicarii Ransomware**
* **Infrastructure:**
* Dedicated Telegram channels: `Cyber Islamic Resistance`, `liwaamohammad`.
* Data Leak Site: `https[:]//www[.]ransomware[.]live/group/bqtlock` (defanged).
* Vulnerability: CVE-2025-55182 (React2Shell).
## Implications
The shift from Sicarii to BQTLock represents a professionalization of pro-Iranian hacktivism. By offering free RaaS to ideologically aligned actors, the threat landscape faces an "inflation" of attacks against Israeli and Western interests. The group’s successful weaponization of critical RCE vulnerabilities like React2Shell indicates a high level of technical sophistication compared to traditional "defacement" hacktivists.
## Mitigations
* **Patch Management:** Immediately prioritize patching **CVE-2025-55182** in all React-based web applications, especially those utilizing React Server Components (RSC).
* **Vulnerability Scanning:** Audit external-facing assets for the RSC Flight protocol which may be susceptible to the React2Shell flaw.
* **Monitor Telegram Channels:** Security teams should monitor the "Cyber Islamic Resistance" and "Liwaa Mohammad" channels for mentions of corporate domains or leaked credentials.
* **Ransomware Defense:** Deploy endpoint detection and response (EDR) solutions configured to block known BQTLock and Sicarii file signatures (refer to SHA256 hashes in technical logs).