3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Liwaa Muhammad

Liwaa Muhammad

ID: 7e4300d61387b4122e9dbde567aedccb43759
Cybercrime Cybercriminal DDoS-for-Hire Operator
Threat types: Intrusion, Pro-Palestine
Lebanon ISR, ARE, USA
Updated: 2026-04-16
Created: 2026-01-26
Progress: 92% Completeness: 88% Freshness: 100%
Operation zone: Israel, United Arab Emirates, United States
Aliases Limited alias preview
Liwa’ Muhammad ﷺ Liwaa Mohammad Li************ li**********
Mo************* Mu************** لو******* لو*********
Showing 2 of 8 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Liwaa Muhammad, also seen as Mohamed Brigade or Liwaa Mohammed, is assessed as a Cyber Islamic Resistance-aligned hacktivist brand closely tied to the actor zerodayx1 / Karim Fayad in public reporting. It mixes propaganda, cyber-claim amplification, service promotion and, by 2025–2026, clear overlap with BQTLock ransomware operations.


Technique Technique name Tactics Evidence
T1583.006 Web Services TA0042
  • 2024-07-24 — Public reporting shows use of Telegram, X, leak infrastructure and related channels to promote operations. · ref
T1587.001 Malware TA0042
  • 2024-07-24 — By 2025–2026 the group was publicly linked to development or operation of BQTLock ransomware. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2024-07-24 — Halcyon reported a claimed React2Shell exploitation tied to Liwaa Mohammad-linked ransomware activity. · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-07-24 — BQTLock overlap indicates use of ransomware for operational disruption and extortion. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-16T03:15:48+00:00

Liwaa Muhammad

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Hacktivism / CIR-aligned group - Origin: Likely Middle East / Lebanon-linked online milieu

Author: iQBlack CTI Team


Executive Summary

Liwaa Muhammad, also seen as Mohamed Brigade or Liwaa Mohammed, is assessed as a Cyber Islamic Resistance-aligned hacktivist brand closely tied to the actor zerodayx1 / Karim Fayad in public reporting. It mixes propaganda, cyber-claim amplification, service promotion and, by 2025–2026, clear overlap with BQTLock ransomware operations.

Public reporting indicates that this actor or brand matters less because of bespoke technical sophistication than because of its position inside a wider mobilization, propaganda, ransomware, or coalition ecosystem.


Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Liwaa Muhammad

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Liwaa Muhammad


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-04-16T03:18:24+00:00

IOC Appendix — Liwaa Muhammad

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-04-16T03:18:38+00:00

OSINT Library — Liwaa Muhammad


2025-06-12 — Outpost24 — “zerodayx1: Hacktivist groups turning to ransomware operations”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/2
Address Verification SOCMINT
t.me/liw********** Restricted Not integrated
t.me/haj***** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–3 of 3 images
Hacked website Free Preview
Hacked website
Alliance with LulzSec Black Free Preview
Alliance with LulzSec Black
Logo Free Preview
Logo