Inside Hezbollah’s expanding cyber empire

Source: Nidaa Al Watan

The war in the region has begun to take on new dimensions in terms of weapons and tools that players can use, at times to score points and at other times to strike their opponent. Although military capabilities have advanced, the operational capacities of the groups leading cyberattacks in the region and the world have advanced alongside them, to the point where these groups now have organizational cadres in most countries, including Israel and Iran.

A report prepared by Dos-Op revealed details about the cyberattack group BQT.Lock (BaqiyatLock), confirming the existence of a direct and systematic connection between the group and Hezbollah, in addition to its cooperation with the Iranian cyber apparatus. The BQT.Lock team operates as a cyber offensive arm driven by clear ideological and religious goals, combining military activities, including ransomware attacks and the sale of its tools, with the reinforcement of Hezbollah’s security, economic, and psychological objectives.

The group runs a Ransomware-as-a-Service platform under the name Baqiyat, and claims that it has succeeded in encrypting hundreds of accounts around the world and stealing sensitive data. The report notes that the main attacks targeted Israel (Ben Gurion Airport, telecom companies Bezeq and Partner, and possibly the defense companies Rafael and Elbit), the United States (websites linked to the 2024 presidential elections), as well as targets in Saudi Arabia, India, the UAE, and Lebanon.

Hezbollah members often exploit legitimate civilian jobs, allowing them to access sensitive systems to support the organization’s goals, a well-known and internationally documented operational pattern. The name BaqiyatLock reflects the fusion between Shiite ideology and Iranian offensive cyber activity, embodying what can be described as “digital religious work.”

The research, prepared by Dos-Op, a company specializing in digital investigations, data leak detection, and automated threat hunting, in cooperation with the Alma Center for Security Research in Israel, exposes the scope of the group’s operations and its strategic objectives.

The report also indicates that many Hezbollah members rely on what is known as a “dual life,” in which they occupy legitimate civilian positions while benefiting from their education, professional experience, and access to sensitive systems and resources to support Hezbollah’s civilian and military goals. This operational model allows Hezbollah to fully utilize its members’ competencies in both civilian and military fields, reflecting an advanced strategy of concealment and influential deployment within society.

What is known as the “Resistance Society Model” forms the framework that enables Hezbollah to merge civilian activity with military and field operations. This model allows the organization to expand its capabilities, blur the line between civilian and military activity, and benefit from civilian cover to facilitate covert operations and strengthen deniability.

In this context, many of the officials responsible for the BQT.Lock cyberattack group are a clear example of this strategy. It is believed that these individuals exploited their civilian jobs and technological expertise to support Hezbollah’s operational needs, using digital infrastructure, data repositories, and corporate systems. Reports indicate that most officials affiliated with this group received their education at leading Lebanese universities, and their presence on social media is marked by the publication of propaganda and messages supporting Hezbollah, reflecting a deep ideological connection that goes beyond military use.

The report reveals that the name BaqiyatLock carries religious–ideological dimensions connected to Hezbollah. In Shiite interpretation, the phrase “Baqiyat Allah” refers to the enduring divine presence or to a figure considered God’s representative on earth. By choosing the name BaqiyatLock, the group combines the ideological meaning (Baqiyat) with the technological element (Lock), giving the name a symbolism expressing “God’s remainder who locks the enemies of God”, an embodiment of the fusion between Mahdist ideology and offensive cyber activity.

The report indicates that the group’s name, activities, goals, and ideological position are all clear indicators of Hezbollah’s direct involvement in these attacks. Some of BQT.Lock’s operations, carried out in cooperation with Iranian cyber groups, also serve Hezbollah’s economic interests by generating additional income through ransomware attacks to support its activities.

The report adds that Hezbollah is not viewed solely as a military organization but also as an entity expanding its illegal revenue streams, especially following the impact of the war with Israel and the collapse of the Syrian regime, which harmed the Iranian logistical–economic corridor into Lebanon.

Although BQT.Lock presents itself as a group of “activist hackers” motivated by political or social causes, reports confirm that the group is directly connected to Hezbollah and its military activities. It is not an ordinary activist collective; it is a digital branch of Hezbollah, operating under a clear religious–political ideology and carrying out attacks as an extension of Hezbollah’s ideological and operational conflict, not under the mandate of a third party.

The report reveals that Hezbollah adopts a cyber model similar to Iran’s doctrine of “cyber nationalism,” which relies on recruiting technically skilled civilians to advance national and security interests. Inside Lebanon, Hezbollah recruits technically qualified civilians, trains them, and deploys them as a cyber force within its own apparatus. They work within legitimate civilian frameworks, leveraging their technical expertise to achieve Hezbollah’s goals. This pattern enables the organization to expand its digital capabilities, obscure the boundaries between civilian and military activity, and strengthen plausible deniability, consistent with Iran’s doctrine of digital proxy deployment.

These individuals operate in coordination with Hezbollah’s cyber unit, indicating their role as active or supporting operatives within this apparatus. Their technical skills provide Hezbollah with intelligence and operational advantages, including carrying out cyberattacks, targeting civilian or governmental entities, achieving psychological impact, and launching financially motivated attacks. Their professional expertise has contributed to developing Hezbollah’s cyber capabilities, creating new tools, upgrading digital infrastructure, offering technical consultation, and enhancing information-gathering operations through system infiltration, vulnerability detection, and extraction of sensitive data.

Hezbollah’s Unit 900, which functions as a covert security unit resembling a “secret police,” plays a parallel role. Its duties include countering espionage within Lebanon, securing the organization’s operational activity, monitoring political, civil, military, and foreign entities, including sensitive sites inside the Lebanese state, opposition parties, diplomats, journalists, and some UNIFIL personnel. This surveillance aims to protect Hezbollah’s interests from Israeli intelligence threats inside Lebanon. The unit uses technical and digital tools, including SIGINT, WEBINT, and OSINT, as well as cyber capabilities, to monitor any entity it considers a security, operational, or social threat.

It is likely that BQT.Lock operatives are digitally integrated into this unit, using their technical skills for monitoring and gathering information online, identifying targets, tracking social-media activity, hacking devices and servers, and collecting data about individuals or groups connected to Hezbollah’s security or interests. Reports indicate that these skills are used to identify targets, monitor social-media activity, infiltrate systems, and gather data on entities that Hezbollah perceives as religious, social, or security threats.

Iran as the Central Player

The Israeli cyber domain has recently witnessed several advanced cyberattacks attributed to Iran’s MuddyWater threat group. In one notable wave of activity, attackers managed to compromise email accounts and use them to distribute phishing emails to large lists, giving their messages high credibility. This campaign aimed to grant attackers initial access to users’ devices through a custom backdoor developed by the group, such as BlackBeard, enabling lateral movement inside institutional networks and further propagation.

The activity reflects MuddyWater’s usual operational patterns in the region while showing tactical adaptation, using emails written in the local language of the target country with nearly correct syntax and customizing phishing content to fit the targeted institution, along with attaching seemingly legitimate documents containing signatures and institutional logos.

MuddyWater is an Iranian threat group operating under Iran’s Ministry of Intelligence and Security (MOIS), also known as Static Kitten, Zagros, or Mango Sandstorm. Since 2017, the group has focused on cyber-espionage (CNE), relying primarily on social-engineering techniques to gain initial access to institutional networks, then maintaining long-term presence to collect intelligence. Its activity spans Israel, Turkey, Afghanistan, Pakistan, the UAE, Iraq, the UK, Azerbaijan, the U.S., Egypt, and Nigeria, targeting government, telecommunications, healthcare, academia, IT services, and small and medium enterprises.

BlackBeard, a malware program written in Rust, functions as a backdoor and downloader. It is used mainly during initial access to provide a foothold within targeted networks, offering capabilities such as system reconnaissance, security bypassing, and loading additional malicious software to deepen the attacker’s persistence.

Separately, a massive leak exposed the identities, infrastructure, tools, and operations of the Iranian Revolutionary Guard’s elite cyber-espionage unit Charming Kitten, revealing its sustained efforts to infiltrate the Israeli military, defense industries, and critical infrastructure, according to analysis published by Haaretz.

The leak, posted by an anonymous GitHub account named Kitten Busters, contains comprehensive information on hackers, commanders, activity logs, and repositories of malware, spyware, and internal communications. Haaretz reported that the unit is a full military branch inside the IRGC, not an independent proxy group, officially named Cyber Intelligence Group 1500, with a clear chain of command, military ranks, ID cards, and regular reporting structures.

The documents show infiltration attempts against the Israel Airports Authority, Rafael, and the Israeli Ministry of Transport. The unit also uses global infrastructure and deception tactics, including fake Israeli identities, local phone numbers, and virtual servers inside Israel, increasing credibility in phishing and social-engineering attacks.

Charming Kitten is also linked to other Iranian personas such as Moses Staff and Handala, used for propaganda, psychological operations, and disinformation.

The unit’s operations extend beyond Israel to entities in the Middle East and Europe, including Dubai Police, the Jordanian government, the Turkish Ministry of Foreign Affairs, and Greek shipping companies. Analysts say Charming Kitten is not merely state-backed but an integral military component of Iran’s broader cyber strategy.

The leak revealed advanced tools such as the mobile-spyware system BellaCiao, operational manuals, and detailed methodology for targeting industrial, commercial, and governmental systems. One internal memo from February 2024 described scanning around 256 Israeli VPN users, identifying 29 as vulnerable targets, leading to two successful breaches, evidence of Iran’s ability to exploit software vulnerabilities.

The documents also show that the unit manages highly organized influence operations, coordinating media strategies for psychological impact, including CCTV hacks, document leaks, and sensitive-data dumps. The unit has attempted recruitment efforts inside Israel and conducted campaigns using multiple identities to conceal its origin.

This leak provides an unprecedented window into Iran’s cyberwarfare structure, revealing how a state-directed unit operates globally, targeting military, industrial, and governmental networks with precision. According to Haaretz, it represents one of the largest disclosures of Iranian offensive cyber activity to date.

Toward a New Phase of Warfare

The combined information from multiple reports and investigations reveals a profound shift in the region’s cyberwarfare landscape. Hezbollah’s cyber activity is no longer a scattered set of initiatives or limited logistical support; it has become a fully integrated operational arm guided by a clear strategic vision, backed by technical expertise and direct Iranian support.

The BQT.Lock group is one manifestation of this transformation: its working model, tactics, and organizational affiliation point to a distinct digital extension of Hezbollah’s military and security apparatus.

Hezbollah’s ability to recruit civilian IT specialists and embed them within civilian environments that provide legitimate cover enables the organization to build a cyber force that is difficult to detect or counter through traditional means. The “Resistance Society” model systematically merges civilian activity with military operations, giving Hezbollah unprecedented flexibility, concealment, and capability to spread influence within its operating environments.

The danger of Hezbollah’s cyber capabilities goes far beyond sabotage or ransomware platforms. They now form part of a comprehensive intelligence–security system that encompasses sensitive-data collection, monitoring of political and social activity, infrastructure targeting, psychological operations, and influence campaigns.
This activity complements the work of Hezbollah’s security units, including Unit 900, forming a complex hidden front that is no less dangerous than its military arsenal.

Understanding this evolution requires recognizing Iran’s direct support, through training, knowledge transfer, offensive-tool development, and operational integration with units such as Charming Kitten and MuddyWater. The alignment of methods and operations indicates that Hezbollah is not simply a beneficiary of Iranian capabilities but an integral component of Iran’s regional cyber project, acting as a digital proxy executing missions aligned with Tehran’s strategic interests.

This synergy expands the threat landscape to regional and international arenas, positioning Hezbollah as a major actor in a cyberwar that merges ideological motivations, military objectives, and economic gains. Through this integration, Hezbollah can launch wide-scale operations, disrupting sensitive sectors, gathering high-value intelligence, or conducting psychological influence campaigns, making its digital capabilities one of the most significant and growing threats in the Middle East.

As Iran continues expanding its cyber influence via proxies, and as offensive tools evolve rapidly, Hezbollah’s cyber capabilities appear poised for further growth. The next phase is expected to see a higher level of digital confrontation, where cyberspace becomes a central battlefield, no less critical than traditional military arenas.