3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
ZeroDayX1

ZeroDayX1

ID: b22082f01937a09ecda662b7f056772074331
Cybercrime Cybercriminal Defacement Operator Malware Dev
Threat types: Hacktivist, Defacement, DDoS Attack, pro-Palestina, Hezbollah-aligned
Lebanon ISR, USA
Updated: 2026-04-12
Created: 2026-01-26
Progress: 91% Completeness: 87% Freshness: 100%
Operation zone: Israel, United States
Aliases Limited alias preview
ZeroDayX
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

ZeroDayX (a.k.a. ZeroDayX1) is assessed as the lead developer/operator behind the BQTLock ransomware ecosystem (including BQTLock, BQTScanner, and BQT OSINT). Public reporting by Alma Center and DOS-OP, echoed by Israel24, links the BQTLock operation to Lebanese student Karim Fayad and to Hezbollah-aligned cyber activity, framing the RaaS platform as both a profit engine and an ideological tool. Technical analyses from 2025 describe BQTLock as a Windows-focused RaaS with AES-256/RSA-4096 encryption, double-extortion behavior, credential theft, anti-analysis, and Discord/Telegram-based C2, delivered via affiliates who gain access through exposed services and social-engineering lures.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2025-09-25 — GBHackers reports that BQTLock is distributed by affiliates via Telegram channels and dark-web forums using ZIP archives that contain a malicious Update.exe payload, consistent with file-based spearphishing or similar social-engineering lures tied to ZeroDayX’s RaaS program. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2025-10-02 — INFERENCE (medium confidence): SOCRadar’s BQTLock profile notes that affiliates frequently exploit unpatched software and exposed services to gain initial footholds before deploying the ransomware, which aligns with Exploit Public-Facing Application for organizations exposing vulnerable panels or web apps. · ref
  • 2025-12-02 — The Alma/DOS-OP research summarized by Israel24 describes BQTLock as compromising hundreds of servers worldwide via a broad attack campaign, implying systematic abuse of externally reachable infrastructure as an entry point for the ZeroDayX-led operation. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-10-02 — SOCRadar notes that BQTLock operators and affiliates leverage stolen credentials and access-broker marketplaces to obtain entry into victim environments before deploying the ransomware, indicating systematic abuse of valid accounts rather than only direct exploitation. · ref
  • 2025-09-25 — GBHackers details that BQTLock creates a new local administrator account ("BQTLockAdmin" with a hard-coded password) via the NetUserAdd API after execution, demonstrating explicit manipulation of account credentials to maintain privileged access. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • 2025-09-25 — GBHackers describes BQTLock registering a scheduled task under Microsoft\Windows\Maintenance\SystemHealthCheck to ensure persistence across reboots, which is a direct use of scheduled tasks for logon/boot persistence under the ZeroDayX-operated family. · ref
T1055.012 Process Hollowing TA0004 TA0005
  • 2025-09-25 — Technical analysis shows that BQTLock injects its code into explorer.exe using process hollowing after gaining elevated rights, a stealth execution pattern documented as part of the ZeroDayX toolchain. · ref
T1497.001 System Checks TA0005 TA0007
  • 2025-09-25 — GBHackers notes that BQTLock incorporates debugger checks (IsDebuggerPresent, CheckRemoteDebuggerPresent) and virtual-machine evasion stubs to hinder dynamic analysis, showing conscious sandbox/VM evasion in builds linked to ZeroDayX. · ref
  • 2025-10-02 — SOCRadar’s whitepaper describes advanced anti-analysis and stealth options in later BQTLock builders, including expanded anti-debug and anti-VM features exposed as configurable flags to affiliates. · ref
T1555.003 Credentials from Web Browsers TA0006
  • 2025-09-25 — GBHackers reports that version 4 of the BQTLock builder added credential-stealing modules that target stored passwords in Chrome, Firefox, Edge, Opera, and Brave, enabling affiliates to harvest browser-stored credentials during or prior to impact. · ref
  • 2025-08-22 — A technical summary of BQTLock (referencing Sudhan/Telychko research) notes integration of credential theft as part of the RaaS capabilities, indicating a deliberate shift by ZeroDayX toward multi-function infostealer+ransomware tooling. · ref
T1071.001 Web Protocols TA0011
  • 2025-09-25 — GBHackers notes that BQTLock exfiltrates host information via a Discord webhook and communicates using standard web protocols (HTTP/HTTPS) as part of its beaconing and reporting, placing core C2 over web channels. · ref
  • 2025-10-02 — SOCRadar’s analysis highlights BQTLock’s use of multiple application-layer protocols, including HTTP/HTTPS and QUIC, to communicate with its infrastructure, as well as Telegram-based coordination for RaaS operations. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-09-25 — GBHackers states that BQTLock collects system information (hostname, username, hardware ID, public IP) and sends it via Discord webhooks before or during encryption, demonstrating exfiltration of victim data over its C2 channel. · ref
  • 2025-10-02 — SOCRadar describes BQTLock as a double-extortion platform where affiliates exfiltrate sensitive victim data before encryption, then leverage that data for ransom negotiations, implying regular use of C2 channels or auxiliary services for bulk data exfiltration. · ref
T1486 Data Encrypted for Impact TA0040
  • 2025-09-25 — GBHackers documents BQTLock encrypting files under 50 MB using AES-256 and protecting keys with RSA-4096, appending a .bqtlock extension and dropping ransom notes in every directory, which is a textbook case of Data Encrypted for Impact. · ref
  • 2025-12-02 — The Alma/DOS-OP study, summarized by Israel24, describes BQTLock as having compromised more than 540 servers globally and using ransomware to steal funds and extort victims, reinforcing encryption for impact as the central effect mechanism of the ZeroDayX operation. · ref
T1490 Inhibit System Recovery TA0040
  • 2025-09-25 — GBHackers notes that BQTLock deletes system backups, including shadow copies and volume snapshots, to prevent recovery after encryption, indicating explicit attempts to inhibit system recovery. · ref
  • 2025-10-02 — SOCRadar’s technical overview mentions that later BQTLock versions expand their anti-recovery logic, extending backup tampering and cleanup routines as part of the builder’s configurable options. · ref
T1590 Gather Victim Network Information TA0043
  • 2025-09-25 — GBHackers reports that BQTLock gathers system and network information (hardware details, hostname, username, public IP via icanhazip.com) before or during impact, providing reconnaissance on victim network characteristics for ZeroDayX and affiliates. · ref
  • 2025-10-02 — SOCRadar notes that the BQTLock ecosystem includes integrated reconnaissance and reporting functionality, feeding victim metadata back to operators as part of the RaaS service. · ref
  • 2025-07-21 — INFERENCE (medium confidence): Internal analysis of BQTScanner and the associated BQT OSINT platform shows ZeroDayX providing affiliates with tooling to probe externally exposed services and search leaked-data indexes, extending reconnaissance beyond the core ransomware implant. · ref
T1587.001 Malware TA0042
  • 2025-10-02 — SOCRadar attributes authorship and ongoing development of BQTLock (including a multi-version builder with anti-analysis and credential-theft features) to the ZeroDayX persona, indicating continuous in-house malware capability development. · ref
  • 2025-12-02 — The Alma/DOS-OP research cited by Israel24 identifies Karim Fayad as the operator behind BQTLock and describes a multi-year campaign using custom ransomware and tool sales, consistent with long-term development and refinement of bespoke malware capabilities. · ref
  • 2025-10-02 — INFERENCE (medium-high confidence): A PGP-signed statement and public key associated with the ZeroDayX handle, asserting ownership of Liwaa Mohammad and BQTLock, supports the assessment that ZeroDayX is the primary developer and capability owner, rather than merely an affiliate. · ref
T1588.002 Tool TA0042
  • 2025-09-25 — GBHackers describes BQTLock as a RaaS platform where affiliates obtain fully configurable payloads and decryption tools from a builder interface without writing code, reflecting deliberate provision of attack tools to third parties. · ref
  • 2025-10-02 — SOCRadar details BQTLock’s subscription tiers and builder UI, enabling customers to generate customized ransomware samples and manage campaigns, underscoring ZeroDayX’s role in distributing offensive tools as a service. · ref
T1583.006 Web Services TA0042
  • 2025-09-25 — GBHackers notes that BQTLock operators coordinate through Telegram channels and use Discord webhooks for telemetry and victim communication, showing deliberate use of third-party web services as operational infrastructure. · ref
  • 2025-10-02 — SOCRadar reports that BQTLock maintains a presence on Telegram, uses dark-web forums to advertise the RaaS, and operates a BAQIYAT.osint search platform as part of its broader web-services infrastructure. · ref
  • 2025-09-15 — The RansomLook entry for BQTLock lists a dedicated data leak site and Tor/onion presence for publishing stolen data, indicating additional web-service and onion-service infrastructure under ZeroDayX’s control. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-01-27T02:13:42+00:00

ZeroDayX actor profile

Classification: TLP:WHITE

Author: iQBlack



Executive Summary

ZeroDayX is a Lebanese-origin hacktivist–cybercriminal persona assessed as the primary operator and public face of the BQTLock (BaqiyatLock) ransomware ecosystem and the pro-Palestinian / Hezbollah-aligned collective commonly branded Liwaa Mohammad / Mohamed Brigade.

Initially active around 2023 with DDoS, defacement and data-leak operations, ZeroDayX pivoted in 2024–2025 to a structured Ransomware-as-a-Service (RaaS) platform (BQTLock), plus associated tools (BQTScanner, BQT OSINT), offering affiliates encryption, extortion and OSINT/recon capabilities under a Monero-based subscription model.

Open sources (Alma Research, Dos-Op, other CTI vendors) strongly link ZeroDayX1 to Karim Fayad, a Lebanese computer-engineering student alleged to be a Hezbollah cyber operative; some earlier reporting framed this as a dox by opponents that he publicly denied, but more recent OSINT (tattoos, overlapping accounts, biographical traces) now treats the link as highly probable.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — ZeroDayX / BQTLock Ecosystem

Classification: TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-01-27T02:20:28+00:00

Crypto currencies accounts:


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
Last saved: 2026-01-27T02:43:58+00:00


OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/9
Address Verification SOCMINT
x.com/zer****** Restricted Not integrated
Address Verification SOCMINT
t.me/zer********** Restricted Not integrated
t.me/dat******** Restricted Not integrated
t.me/Zer****** Restricted Not integrated
t.me/+7h************** Restricted Not integrated
Address Verification SOCMINT
guns.lol/zer***** Restricted Not integrated
www.instagram.com/zer****** Restricted Not integrated
discord.com/zer***** Restricted Not integrated
Address Verification SOCMINT
github.com/zer***** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Image used in social media account Free Preview
Image used in social media account