A sophisticated new ransomware strain named BQTLOCK has emerged in the cyberthreat landscape since mid-July 2025, operating under a comprehensive Ransomware-as-a-Service (RaaS) model that democratizes access to advanced encryption capabilities for cybercriminals.
The malware, associated with ‘ZerodayX’, the alleged leader of the pro-Palestinian hacktivist group Liwaa Mohammed, represents a concerning evolution in ransomware distribution and monetization strategies.
BQTLOCK employs a tiered subscription model offering three service levels: Starter, Professional, and Enterprise packages, each providing customizable features including ransom note personalization, wallpaper modification, file extensions, and configurable anti-analysis options.
.webp)
The ransomware demands between 13 to 40 Monero (XMR) tokens, equivalent to $3,600 to $10,000, with payment deadlines that double the ransom after 48 hours and threaten permanent data deletion after seven days.
K7 Security Labs analysts identified the malware’s sophisticated architecture, which combines traditional double extortion tactics with modern evasion techniques.
The ransomware encrypts files using a hybrid AES-256 and RSA-4096 encryption scheme, appending the .bqtlock extension to compromised files while simultaneously exfiltrating sensitive data through Discord webhooks for command-and-control communications.
.webp)
The malware’s distribution mechanism involves ZIP archives containing the primary executable Update.exe alongside 20 supporting DLL files.
Upon execution, BQTLOCK performs comprehensive system reconnaissance, collecting computer names, IP addresses, hardware identifiers, and disk space information before establishing persistence and initiating its encryption routine.
An updated variant discovered on August 5, 2025, demonstrates the threat actors’ commitment to continuous development, incorporating enhanced credential theft capabilities targeting popular browsers including Chrome, Firefox, Edge, Opera, and Brave.
This evolution significantly expands the malware’s data harvesting potential beyond file encryption.
Advanced Evasion and Persistence Mechanisms
BQTLOCK implements a multi-layered approach to detection evasion and system persistence that sets it apart from conventional ransomware families.
The malware begins its evasion sequence by employing the IsDebuggerPresent() API to detect active debugging environments, immediately terminating execution if analysis tools are detected.
Additionally, it creates a global mutex named “Global{00A0B0C0-D0E0-F000-1000-200030004000}” to prevent multiple instances from running simultaneously.
.webp)
The ransomware achieves privilege escalation through SeDebugPrivilege enablement using OpenProcessToken and AdjustTokenPrivileges APIs, followed by sophisticated process hollowing techniques targeting explorer.exe.
This approach allows BQTLOCK to inject malicious code into legitimate system processes, effectively masking its presence from security monitoring tools.
For persistent access, the malware establishes a scheduled task masquerading as “MicrosoftWindowsMaintenanceSystemHealthCheck”, leveraging legitimate Windows maintenance nomenclature to avoid suspicion.
It simultaneously creates a backdoor administrator account named “BQTLockAdmin” with the password “Password123!”, ensuring continued access even after initial compromise detection.
The updated variant introduces multiple UAC bypass techniques, including abuse of CMSTP.exe with crafted .inf files and registry manipulation targeting fodhelper.exe and eventvwr.exe auto-elevation features.
These methods enable the malware to execute with elevated privileges without triggering User Account Control prompts, significantly reducing the likelihood of user intervention during the attack sequence.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
