Baqiyat 313 Locker

Baqiyat 313 Locker, also referred to as BQTlock, is a ransomware-as-a-service (RaaS) platform publicly disclosed in July 2025 and described as a separate platform used by pro-Palestinian and pro-Iranian regime-affiliated operators. Reporting cited in the content says Sicarii operators were redirected to BQTlock after Sicarii’s administrator said it could not handle a surge in affiliate requests. BQTlock is characterized as ideologically driven, emphasizing pro-Palestinian political messaging while conducting ransomware operations.

The malware uses double-extortion tactics. According to the content, BQTlock has primarily targeted organizations in the United Arab Emirates, the United States, and Israel since July 2025. Its leak site has published data from hospitality and education entities, including victims in the UAE, the US, and Israel. Related Telegram messaging advertised free RaaS access for hacktivists able to target the “Zionist entity,” and associated channels showed interest in critical infrastructure and military targets.

The content states BQTlock was purportedly developed by pro-Palestinian hacktivists Liwaa Mohammad and Karim Fayad, with Liwaa Mohammad operating under the broader Cyber Islamic Resistance umbrella. It also notes collaboration or association in related channels with the Cyber Fattah Team. On 20 December 2025, the Cyber Fattah Team reportedly claimed successful exploitation of React2Shell (CVE-2025-55182), a critical unauthenticated remote code execution vulnerability affecting React Server Components and the RSC Flight protocol, to deploy BQTlock against an Israeli-based victim. The victim was reportedly not listed on the BQTlock leak site, suggesting payment or a decision not to publish.

High-confidence aliases in the provided content are Baqiyat 313 Locker and BQTlock.