3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
BQT OSINT

BQT OSINT

ID: e7989a1b480a1ac465a3e99715c18df365519
Crimeware
Threat types:
Iran
Updated: 2026-04-15
Created: 2026-01-26
Progress: 66% Completeness: 52% Freshness: 100%
Operation zone:
Aliases Limited alias preview
BQTosint
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

BQT OSINT (also exposed as BQT Bot OSINT via Telegram bot @BQTosintBot) is a paid OSINT and data-enrichment service operated by the Zerodayx1 / Liwaa Muhammad cluster behind BQTLock ransomware, BQTscanner and associated RaaS offerings. The service uses a point-based model purchased in Monero (XMR) and redeemed through vouchers sent by ZeroDayX1. It is promoted inside the BQTLock RaaS ecosystem and by allied channels (e.g., Cyber Fattah team) as an OSINT backend for members, suggesting that it provides domain- and organisation-centric intelligence to support targeting, extortion and reconnaissance. External reporting also describes BQT Bot OSINT as a recruitment and influence instrument that leverages emotional-intelligence tactics to attract and retain affiliates within the Zerodayx1 group. Ref: WatchGuard BQTLock tracker; Alma Research special report on BQTLock and Karim Fayad; Orange Cyberdefense Zerodayx1 Group profile; Telemetr mirrors of BQTLock RaaS and Cyber Fattah posts.


Technique Technique name Tactics Evidence
T1591 Gather Victim Org Information TA0043
  • 2025-10-01 — INFERENCE based on OSINT collection window — Gather Victim Org Information – BQT OSINT is advertised as an OSINT system for members of the BQTLock ecosystem, accessed via the @BQTosintBot Telegram bot and sold on a point-based model, implying it returns structured information about organisations (for example, whether a given company/domain appears in leaked databases, credential dumps or other OSINT sources) to support targeting and extortion planning. · ref
  • 2025-10-15 — INFERENCE based on publication timeframe — INFERENCE – Orange Cyberdefense describes the Zerodayx1 Group as using “BQT Bot OSINT on Telegram” as part of an emotional-intelligence driven recruitment and engagement funnel. This suggests that the bot does not only return raw technical data but also contextual organisational information (identity, alignment, perceived enemies) that can guide which institutions are prioritised as victims or political targets. · ref
T1590.001 Domain Properties TA0043
  • 2025-11-01 — INFERENCE based on tweet capture date — Gather Victim Network Information: Domain Properties – A TwStalker/X snapshot of the @zerodayx1 account includes the message “BQT osint usage domain fbi[.]gov”, indicating that BQT OSINT is used against specific domains to retrieve information. This strongly suggests that the bot and its backend are designed to query domain-related properties (such as domain ownership, associated emails, and potentially breach presence) for victim organisations. · ref
  • 2025-09-20 — INFERENCE based on Telemetr crawl timestamp — INFERENCE – The BQTLock RaaS channel and allied channels (e.g., Cyber Fattah) forward BQT OSINT announcements framed around organisational membership (“Dear BQT OSINT Members”) and access via @BQTosintBot. Combined with the domain-centric teaser, this supports the assessment that a core function is to look up domain properties and related contact/details for target organisations. · ref
T1593 Search Open Websites/Domains TA0043
  • 2025-10-10 — INFERENCE based on OSINT observation window — Search Open Websites/Domains – By branding itself explicitly as an OSINT system and exposing a domain-based usage example (e.g., fbi[.]gov), BQT OSINT almost certainly aggregates information from multiple open web sources (victim-owned websites, public breach indexes, news, and other online resources) to answer queries about a given organisation or domain, thereby enabling adversaries to search open websites/domains during reconnaissance. · ref
T1596 Search Open Technical Databases TA0043
  • 2025-10-20 — INFERENCE based on Alma and Orange reporting timeframe — Search Open Technical Databases – The Alma Research special report notes that BQTLock’s underground platforms provide access to stolen databases and make cybercrime infrastructure broadly accessible. Coupled with the BQT OSINT point-based model, it is reasonable to assess that BQT OSINT queries technical and breach databases (e.g., collections of scanned network data, credential dumps, or other structured stores) as part of its lookups, effectively acting as a broker for open and semi-open technical datasets. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-01-27T00:03:05+00:00

BQT OSINT / BQT Bot OSINT

Classification: TLP:WHITE – Tooling profile

Author: iQBlack Team


Executive Summary

BQT OSINT (also branded as BQT Bot OSINT, accessed via Telegram bot @BQTosintBot) is a paid OSINT / data-enrichment service operated by the same ecosystem behind BaqiyatLock/BQTLock and the tools BQTScanner and BQTLock RaaS, led by ZeroDayX1 / Liwaa Muhammad.

The service is exposed as a point-based search system: users buy “points” with Monero (XMR), receive a voucher via ZeroDayX1, and redeem it inside the bot to perform lookups. Promotional posts from Cyber Fattah team and the BQTLock RaaS channel frame it as part of the broader Baqiyat toolset and even bundle “unlimited search points on the BQT OSINT tool” with BQTLock subscription offers.

External research on the Zerodayx1 Group describes BQT Bot OSINT not only as a technical data-access tool, but also as a recruitment and influence instrument that leverages “emotional intelligence” to draw sympathisers into the RaaS ecosystem and cultivate loyalty.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/2
Address Verification SOCMINT
t.me/BQT***** Restricted Not integrated
t.me/BQT******** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Imagen used in social media account Free Preview
Imagen used in social media account