BQTLock
BQTLock is a ransomware/Ransomware-as-a-Service (RaaS) operation referenced as a new ransomware strain active in 2025 and reported to have multiple variants and names. The malware is associated with the pro-Palestinian hacktivist group zerodayx1, which launched BQTLock as a RaaS offering. Reporting explicitly describes this as a pivot combining ideological messaging with subscription-based extortion, reflecting a blend of hacktivism and financially motivated ransomware activity. Mentioned coverage includes research on BQTLOCK ransomware and its variants, and analysis comparing BQTLock with another new strain, GREENBLOOD. The available content does not provide technical details on encryption routines, specific infection vectors, targeted operating systems, victimology, or concrete indicators of compromise beyond the association with zerodayx1 and its positioning as a ransomware/RaaS operation.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
React2Shell: CVE-2025-55182, also known as "React2Shell," is a critical unauthenticated remote code execution vulnerability affecting React Server Components (RSC) and the RSC Flight protocol.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
Execution
1 technique
Execution
Lateral Movement
1 technique
Lateral Movement
Command and Control
1 technique
Command and Control
Impact
1 technique
Impact
CTU researchers have also identified the BaqiyatLock (also known as BQTlock) ransomware-as-a-service (RaaS) group offering free affiliate memberships to any hacktivists who can "target the Zionist entity"... Organizations should also review their business continuity plans and restoration processes to address ransomware or wiper malware attacks.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
New ransomware strain mentioned as starting operations this year.
Ransomware-as-a-Service (RaaS) platform combining ideological messaging with subscription-based extortion, used by hacktivist and financially motivated actors.
Minimal-activity ransomware brand referenced as part of the long-tail of operators.
Ransomware-as-a-Service operation launched by the hacktivist group zerodayx1, combining ideological and financially motivated attacks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.