Liwaa Mohammad

Liwaa Mohammad is a pro-Palestinian, pro-Iran-aligned hacktivist group operating under the broader Cyber Islamic Resistance umbrella and within the wider Islamic Cyber Resistance / Cyber Isnaad Front ecosystem. Reporting places the group among Iraqi-linked cyber proxy and hacktivist networks that appear to coordinate from Iraqi territory as part of the Iraq-Iran cyber corridor. The group is explicitly identified alongside the 313 Team, Fatimion Cyber Team, FAD Team, AL Toufan, AL_Safwa313, Al Safwa, Unit 313, and Gaza313 in that ecosystem. Liwaa Mohammad is led by Karim Fayad, also known as ZeroDayX and ZeroDayX1. The group has been linked to the development and launch of the Baqiyat 313 Locker ransomware, also referred to as BQTlock and Baqiyatlock313. BQTlock is described as an ideologically driven Ransomware-as-a-Service platform used by pro-Palestinian and pro-Iranian regime-affiliated operators. It combines political messaging with double extortion and, since July 2025, has primarily targeted organizations in the UAE, the United States, and Israel. Reporting states that BQTlock has published stolen data from hospitality and education entities on its leak site. Liwaa Mohammad-related activity is tied to Telegram-based operations under the Cyber Islamic Resistance umbrella. Forwarded posts attributed to the group claimed leaks of an Israeli military database and a list of Israeli Mossad agents. Related communications also showed interest in targeting critical infrastructure and military entities. The Cyber Fattah Team is described as collaborating on Liwaa Mohammad Telegram channels, and reporting states Cyber Fattah Team claimed exploitation of React2Shell (CVE-2025-55182) to deploy BQTlock against an Israeli-based victim on 20 December 2025. Known aliases directly reflected in the content are Liwaa Mohammad and liwaa_mohammad.