In December 2025, a previously unknown ransomware-as-a-service operation named Sicarii emerged across underground platforms, introducing itself as an Israeli or Jewish affiliated group.
The operation stands apart from typical financially motivated ransomware due to its explicit use of Hebrew language, Israeli symbols, and references to historical Jewish groups in its branding.
Unlike established ransomware operations that maintain operational secrecy, Sicarii openly incorporates the Haganah symbol alongside Hebrew text in its visual identity, creating an unusual presence in the cybercriminal landscape.
The group claims to focus on targeting organizations in Arab and Muslim countries while explicitly avoiding Israeli systems.
The malware employs a geo-fencing mechanism that prevents execution on systems identified as Israeli, checking time zones, keyboard layouts, and network adapter IP addresses to identify local targets.
.webp "New Sicarii RaaS Operation Attacks Exposed RDP Services and Attempts to Exploit Fortinet Devices 2")
This selective targeting approach, combined with ideological messaging, distinguishes Sicarii from conventional ransomware groups operating from Eastern Europe or Russia.
Check Point analysts identified a sophisticated technical infrastructure underlying the Sicarii operation.
The ransomware begins execution through an anti-virtualization phase that detects sandbox environments and displays a deceptive error message to avoid analysis.
.webp "New Sicarii RaaS Operation Attacks Exposed RDP Services and Attempts to Exploit Fortinet Devices 4")
It then copies itself to the temporary directory as svchost_{random}.exe and tests internet connectivity by contacting google.com/generate_204 multiple times to ensure operational readiness.
Lateral Movement Through Network Reconnaissance
After establishing execution context, the malware performs aggressive network reconnaissance to map the victim’s environment.
The malware enumerates local network configurations through ARP requests and scans for exposed RDP services across discovered systems.
More significantly, it actively attempts to exploit Fortinet devices using CVE-2025-64446, a vulnerability that provides lateral movement pathways within compromised networks.
This reconnaissance phase supports both network penetration and data collection objectives, making it particularly dangerous for organizations with mixed security infrastructure.
The malware collects extensive data including system credentials, browser information, and application data from platforms like Discord, Slack, Telegram, and cryptocurrency wallets.
.webp "New Sicarii RaaS Operation Attacks Exposed RDP Services and Attempts to Exploit Fortinet Devices 5")
All harvested data gets packaged into a ZIP archive named collected_data.zip and exfiltrated through file.io. Following data exfiltration, the ransomware establishes persistence through multiple mechanisms including registry modifications, service creation, and new user accounts with hardcoded credentials.
The encryption phase uses AES-GCM with 256-bit keys, appending the .sicarii extension to encrypted files.
The operation concludes with a destructive component that deploys a batch script at startup, corrupting bootloader files and forcing immediate system shutdown.
Organizations should prioritize patching Fortinet devices and implementing network segmentation to contain this emerging threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
