{ "id": "1d7a8a01-cd65-4797-bb42-745ac79a57c7", "created_at": "2026-04-06T01:31:01.04538Z", "updated_at": "2026-04-10T03:36:48.154146Z", "deleted_at": null, "sha1_hash": "934f0730434b2d986320c4beb8480ac4a039c1a4", "title": "Examining the tactics of BQTLOCK Ransomware \u0026 its variants", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1455728, "plain_text": "Examining the tactics of BQTLOCK Ransomware \u0026 its variants\r\nPublished: 2025-08-22 · Archived: 2026-04-06 00:09:35 UTC\r\nRansomware-as-a-Service (RaaS), marketed on dark web forums or Telegram channels, is a growing model in the\r\ncybercrime ecosystem where ransomware developers offer their malicious tools and infrastructure to affiliates in a\r\nsubscription model or a profit share. Affiliates who are responsible for the distribution need not have any coding experience.\r\nThey can simply purchase or subscribe to a RaaS, which handles the payload generation, encryption mechanisms, victim\r\ncommunication portals, and even automated payment collection via cryptocurrency. \r\nA newly identified ransomware strain, named Bqtlock, which is operating under a Ransomware-as-a-Service (RaaS) model,\r\nhas recently surfaced in the threat landscape since mid-July, as reported on Twitter. It is associated with the ‘ZerodayX’, the\r\nalleged leader of the pro-Palestinian hacktivist group Liwaa Mohammed, who is also related to the Saudi games data\r\nbreach.\r\nFigure 1: Tweet\r\nBqtlock leverages a range of anti-analysis techniques, including string obfuscation, debugger detection, and virtual machine\r\nevasion, to avoid detection and analysis. The ransomware is distributed in a ZIP archive, which contains a file called\r\nUpdate.exe responsible for encrypting local files of all types, appending a custom extension (.bqtlock), and drops a ransom\r\nnote with instructions. This emerging malware follows the usual SOP of the double extortion method. It leaves behind a\r\nransom note that says 48 hours to contact via telegram or X, demanding a payment of 13 to 40 XMRs ($3600 to $10000)\r\nbased on the wave. Suppose the victim doesn’t contact within the given 48 hours. In that case, the ransom is doubled, and\r\nafter 7 days, the decryption keys will be deleted permanently, and the attackers will sell the collected user data on their\r\nwebsite (Figure 5), the standard double extortion technique. Transactions are conducted exclusively in Monero.\r\nThe sample we analyzed is a ZIP archive that contains two executables and 20 DLLs within it. \r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 1 of 12\n\nFigure 2:  Archive Contents\r\nFigure 3: Infected Files\r\nFigure 4 : Ransom note\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 2 of 12\n\nFigure 5: Listings of infected companies\r\nTheir website offers three subscription services for their RaaS: Starter, Professional, and Enterprise. In their subscription\r\nservices, they offer customization for the ransom note and its file name, wallpaper, icon, C2s, file extensions, and an opt-in\r\noption for many functionalities such as anti-debug, anti-VM, self-delete, etc.\r\nFigure 6: Subscription Models\r\nIt uses the IsDebuggerPresent() API to detect active debugging environments. While the code contains a stub for anti-virtual\r\nmachine (VM) detection, it currently returns false unconditionally, suggesting that anti-VM functionality is either under\r\ndevelopment or intentionally disabled for now, or maybe the user opted out of this functionality.\r\nFigure 7: Anti-Analysis \u0026 Mutex Checks\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 3 of 12\n\nBqtlock checks for the presence of a mutex. If the mutex already exists, the process exits immediately. Otherwise, it creates\r\na new mutex named Global\\\\{00A0B0C0-D0E0-F000-1000-200030004000}.\r\nFollowing the mutex check, Bqtlock attempts privilege escalation by enabling SeDebugPrivilege using OpenProcessToken\r\nand AdjustTokenPrivileges. This elevated privilege is necessary for the malware to inject code into system-level processes.\r\nFigure 8: Privilege Escalation\r\nIt then proceeds to process hollowing via a function named Perform_hollowing targeting explorer.exe.\r\nFigure 9: Process Hollowing\r\nBqtlock performs system reconnaissance by collecting host information, including the computer name, hostname, username,\r\nlocal IP address, and public IP (retrieved via www[.]icanhazip[.]com). It also harvests the hardware ID and calculates both\r\ntotal and available disk space across all drives.\r\nFigure 10: Collects User Details\r\nPost-recon, the ransomware attempts to establish persistent administrative access by creating a new local user\r\n”BQTLockAdmin” with the password “Password123!”, through the NetUserAdd API, and elevating its privileges by adding\r\nit to the Administrators group using NetLocalGroupAddMembers.\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 4 of 12\n\nFigure 11: Adding User to Administrators\r\nBqtlock exfiltrates collected system data through a Discord webhook, transmitting information in JSON format. A Discord\r\nwebhook is a legitimate feature that lets apps send automated messages to a channel via a unique URL. Malware abuses it as\r\na free command-and-control channel \u0026 exfiltrating stolen data. It includes a function to capture a screenshot of the victim’s\r\ndesktop, saving it locally as C:\\Windows\\Temp\\bqt_screenshot.png using the BitBlt and GdipCreateBitmapFromHBITMAP\r\nAPIs. The malware also records its logs and sends them.\r\nTo prevent victims from restoring their system or recovering encrypted files, execute a series of system commands designed\r\nto disable Windows recovery mechanisms.\r\nFigure 12: Anti-Recovery Commands\r\nAs part of its pre-encryption routine, Bqtlock performs a scan of running processes to identify and terminate specific\r\napplications that may prevent it from encrypting files effectively. This is done using the CreateToolhelp32Snapshot API,\r\nwhich allows the ransomware to capture a snapshot of the current process list. It then enumerates through these using\r\nstandard Windows APIs, such as Process32First and Process32Next. For each enumerated process, it compares the process\r\nname against a hardcoded list. If a match is found, the malware attempts to open the process handle using OpenProcess and\r\nthen forcibly terminates it via TerminateProcess. \r\nFigure 13: List of Processes to check \u0026 terminate\r\nBqtlock ransomware sets up persistence via Windows Scheduled Tasks. Once it has the executable path, Bqtlock constructs\r\na command to register a scheduled task using schtasks.exe. What’s particularly notable is the task name it chooses:\r\nMicrosoft\\Windows\\Maintenance\\SystemHealthCheck\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 5 of 12\n\nFigure 14: Creation of a Scheduled Task\r\nThe wallpaper is a base64-encoded image string, decodes it, writes the binary image data as bqt_wallpaper.bmp into the\r\nC:\\Windows\\Temp directory, and sets it as desktop wallpaper using the SystemParametersInfoA API with the\r\nSPI_SETDESKWALLPAPER flag. Bqtlock also modifies file type icons in Windows Explorer by dropping a custom file\r\n(bqt_icon.ico) in the same Temp directory. It then enumerates a list of common file extensions (Figure 16) and updates their\r\nDefaultIcon registry keys under HKEY_CLASSES_ROOT, effectively changing the default icons for associated files. This\r\nis done through repeated use of RegCreateKeyExA and RegSetValueExA. Once the changes are made, the malware calls\r\nSHChangeNotify to refresh the icon cache.\r\nFigure 15: Wallpaper \r\nFigure 16: List of extensions\r\nThe malware recursively scans folders from a given root path but skips hardcoded directories like Windows, Program Files,\r\nProgramData, AppData, and Recycle.Bin to maintain system stability.\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 6 of 12\n\nFigure 17: Folder Exclusions\r\nSuppose a subdirectory is valid and not blacklisted. In that case, its size is verified to be under a specific threshold (50MB in\r\nthis case), and the extension is checked to ensure it’s not already the targeted encrypted format (decoded from base64, which\r\nis .bqtlock). If it qualifies, the file path is added to an encryption queue, and a ransom note is dropped once per directory.\r\nThe ransomware embeds all key elements like ransom note, the encrypted file extension, wallpaper image, RSA public key,\r\nand Discord C2 URL in Base64 format.\r\nFigure 18: Base64 encoded extension and ransom note file name\r\nFigure 19: Base64 encoded Webhook URL\r\nFigure 20: Base64 encoded ransom note\r\nIt uses the usual hybrid encryption approach of using AES-256 with RSA-4096, beginning with decoding a Base64-\r\nencoded file extension, used for renaming the encrypted files. Upon successful file access, the ransomware generates a 32-\r\nbyte random AES key and a 16-byte IV using RAND_bytes.\r\nThese symmetric encryption parameters are then encrypted using RSA public-key encryption with OpenSSL’s\r\nEVP_PKEY_encrypt. The encrypted AES key and IV are written to the output file.\r\nThe post-execution cleanup mechanism using the delete command is executed via ShellExecuteA.\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 7 of 12\n\nFigure 21: Self-Deletion\r\nUpdated Variant\r\nWhile analyzing, we obtained an updated BQTLock sample on August 5, 2025. It still contains the earlier checks and\r\nroutines, but now includes additional anti-analysis checks, UAC bypasses, and heavier code obfuscation; overall, a clear\r\nstep-up in most techniques, making analysis more challenging.\r\nFor Anti-debugging, it uses IsDebuggerPresent(), CheckRemoteDebuggerPresent(), OutputDebugString(), and\r\nGetTickCount(). Each check targets different debugger behaviors, including timing anomalies.\r\nFigure 22: new-debug-checks\r\nPrivilege escalation is achieved via UAC bypass using multiple methods:\r\nBy using CMSTP \r\nExecutes a crafted ‘.inf’ file with ‘/s’ to abuse CMSTP’s auto-elevation and run payloads without a UAC\r\nprompt.\r\nFigure 23: UAC bypass using cmstp\r\nBy using fodhelper.exe \u0026 eventvwr.exe\r\nAttackers modify registry keys under HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command to point to\r\ntheir payload. When the fodhelper.exe/eventvwr.exe runs, it executes the payload with elevated privileges\r\nwithout triggering a UAC prompt, since it’s an auto-elevated.\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 8 of 12\n\nFigure 24: UAC bypass by fodhelper.exe\r\nFigure 25: UAC bypass by eventvwr.exe\r\nAll hardware-related information is gathered via Windows Management Instrumentation (WMI), which queries the system\r\nfor details such as motherboard serial numbers, hardware configurations, and other identifiers.\r\nFor self-deletion, it uses a batch script to remove its executable after execution and attempts to clear event logs to erase\r\nforensic evidence.\r\nFor lateral movement, the malware self-copies as bqtpayload.exe into the %TEMP% directory on the target system and\r\nexecutes it from there.\r\nFigure 26: Lateral movement path\r\nThe updated variant introduces a credential-stealing capability, specifically targeting stored login data from widely used\r\nbrowsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, and Brave. It harvests credentials by accessing the\r\nrespective storage locations of each browser. For Chromium-based browsers, this includes paths such as ‘AppData\\Local\\\r\n\u003cBrowser\u003e\\User Data\\Default\\Login Data’. For Firefox, it extracts credentials from\r\n‘AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\logins.json’ and retrieves the corresponding decryption key from ‘key4.db’ to\r\nunlock the stored login details.\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 9 of 12\n\nFigure 27: List of browsers to collect passwords\r\nThe updated variant retains its previous functionality with extra obfuscation such as wallpaper and icon manipulation,\r\nterminating security processes, privilege escalation, Process hollowing for stealthy payload execution, creating scheduled\r\ntasks for persistence, Encrypting mechanisms, and other core malicious behaviors, while expanding its capabilities with new\r\nfeatures like credential theft and enhanced anti-analysis techniques and Privilege escalation by UAC-bypass.\r\nA recent tweet showcases the BQTLock Ransomware Builder V4, highlighting numerous customizable options that allow\r\nthreat actors to build ransomware according to their preferences.\r\nFigure 28: BQTLock Ransomware Builder\r\nQuestionable claims on BQTLock\r\nZeroDayX markets BQTLock as a FUD (Fully Undetectable) ransomware, claiming it is undetected by all AVs. However,\r\nthe sample distributed was a corrupted ISO file, which appears non-functional. Moreover, the file was only submitted to VT\r\nonce, and that submission came from Lebanon, which strongly indicates it was uploaded by the developer or someone\r\nclosely affiliated. This raises doubts about the legitimacy of the FUD claims and highlights the possibility that the promotion\r\nis exaggerated or deceptive.\r\nFigure 29: Misleading VT FUD\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 10 of 12\n\nFurther Updates\r\nFrom posts on X, it’s clear that the ransomware is still being actively promoted and updated. Recently, the RaaS developers\r\nannounced that version 4 is live. However, they also stated that future updates have been discontinued. In less than a month,\r\nthey claimed to have updated four versions and then stopped the updates. This raises questions about whether this is a\r\ngenuine halt, a rebranding attempt, or simply another ploy to create urgency among buyers. Recently, their Telegram channel\r\ngot blocked, and as a gesture of goodwill, they offered their services free of cost for the next 3 days on their new Telegram\r\nchannel. Also released a new tool called ‘BAQIYAT.osint’, which seems like a platform for keyword searching of stolen\r\ninformation at a fee.\r\nFigure 30: Promotions on Telegram\r\nThis emphasizes how the group is treating the ransomware more like a commercial product than a long-term criminal\r\noperation.\r\nWith the increasing risk of ransomware attacks, it’s important to take steps to protect your data. Using a reliable security\r\nsolution like K7 Total Security and keeping it updated is crucial to defend against these threats.\r\nIOCs\r\nHash Detection Name\r\n4E7434AC13001FE55474573AA5E9379D Ransomware (005a7a3d1)  \r\n7170292337A894CE9A58F5B2176DFEFC Ransomware (005a7a3d1)  \r\nRansomware\r\nSite\r\nhxxp[:]//yywhylvqeqynzik6ibocb53o2nat7lmzn5ynjpar3stndzcgmy6dkgid[.]onion \r\nX  hxxps[:]//x[.]com/Zerodayx1\r\nTelegram hxxps[:]//t[.]me/BQTlock hxxps[:]//t[.]me/Fuch0u hxxps://t[.]me/BQTnet hxxps://t[.]me/BQTlock_raas\r\nCrypto\r\nWallet\r\n89RQN2EUmiX6vL7nTv3viqUAgbDpN4ab329zPCEgbceQJuS233uye4eXtYk3MXAtVoKNMmzgVrxXphLZbJPte\r\nMail BQTlock@tutamail.com\r\nReferences\r\nhttps://x.com/fbgwls245/status/1945132598520328336\r\nhttps://x.com/zerodayx1/status/1947757513778024888\r\nhttps://x.com/zerodayx1/status/1945911541989085278\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 11 of 12\n\nhttps://x.com/Cyberknow20/status/1939969889466228984\r\nhttps://www.watchguard.com/wgrd-security-hub/ransomware-tracker/bqtlock\r\nhttps://cybershafarat[.]com/2025/07/11/launch-of-our-cyber-tool-baqiyatlock-bqtlock-ransomware/\r\nhttps://www.resecurity.com/blog/article/iran-linked-threat-actors-leak-visitors-and-athletes-data-from-saudi-games\r\nhttps://x.com/zerodayx1/status/1956124336630145260\r\nhttps://x.com/abdul__alamri/status/1949468133309178050\r\nSource: https://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nhttps://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/" ], "report_names": [ "examining-the-tactics-of-bqtlock-ransomware-its-variants" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439061, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/934f0730434b2d986320c4beb8480ac4a039c1a4.pdf", "text": "https://archive.orkl.eu/934f0730434b2d986320c4beb8480ac4a039c1a4.txt", "img": "https://archive.orkl.eu/934f0730434b2d986320c4beb8480ac4a039c1a4.jpg" } }