A new ransomware-as-a-service (RaaS) operation named Sicarii, purportedly with Israeli or Jewish affiliations, has surfaced on underground forums. This newcomer distinguishes itself with explicit use of Hebrew and Israeli symbols, including the Haganah emblem, in its branding, alongside a stated focus on targeting organizations in Arab and Muslim countries while actively avoiding Israeli systems. This ideological framing and geopolitical focus set Sicarii apart from typical financially motivated cybercriminal groups.
The operation, identified in December 2025, employs a unique geo-fencing mechanism to prevent its malware from executing on systems it identifies as Israeli. This is achieved by analyzing time zones, keyboard layouts, and network adapter IP addresses. Analysts at Check Point Research have shed light on Sicarii’s sophisticated technical infrastructure and operational methods, revealing a multi-stage attack process designed for stealth and effectiveness.
Sicarii RaaS Operation: Technical Sophistication and Lateral Movement
The Sicarii ransomware initiates its execution with an anti-virtualization phase, designed to detect and evade sandbox analysis environments. Upon successful bypass, it presents a deceptive error message to the user, masking its malicious activity. The malware then proceeds to copy itself to the temporary directory, renaming its executable to ‘svchost_{random}.exe’ to blend in with legitimate system processes.
Before proceeding with encryption, Sicarii performs thorough network reconnaissance. It meticulously maps the victim’s environment by performing ARP requests to discover local network configurations and actively scans for exposed RDP services across all identified systems. This phase is crucial for identifying potential lateral movement pathways.
A particularly concerning aspect of Sicarii’s operation is its active attempt to exploit vulnerabilities in Fortinet devices. Specifically, it targets CVE-2025-64446, a vulnerability that can provide cybercriminals with significant access for lateral movement within a compromised network. This targeted exploitation highlights a strategic approach, aiming to gain deep access and control over victim networks. The dual objective of network penetration and data collection makes this phase exceptionally dangerous for organizations with mixed security infrastructures.
During its reconnaissance and initial compromise phases, the malware diligently collects a wide array of sensitive data. This includes system credentials, browser information, and data from various communication and financial platforms such as Discord, Slack, Telegram, and cryptocurrency wallets. All harvested information is meticulously packaged into a ZIP archive named ‘collected_data.zip’ before being exfiltrated, often using services like file.io to mask the final destination.
To ensure persistence, Sicarii employs multiple methods, including modifications to system registries, the creation of new services, and the addition of new user accounts with hardcoded credentials. This multi-pronged persistence strategy makes it challenging to fully remove the threat from an infected system.
The encryption stage of the Sicarii operation utilizes AES-GCM with 256-bit keys, a robust encryption standard. Encrypted files are identifiable by the appended ‘.sicarii’ extension. Adding a destructive final blow, the operation includes a destructive component. This component deploys a batch script that runs at startup, designed to corrupt bootloader files and force an immediate system shutdown, potentially rendering the system unrecoverable without significant forensic intervention.
Given the capabilities and targeting strategy of the Sicarii RaaS operation, organizations are strongly advised to prioritize patching their Fortinet devices to mitigate the risk associated with CVE-2025-64446. Furthermore, implementing robust network segmentation can help contain the lateral spread of the ransomware should an initial compromise occur. The ongoing evolution of RaaS operations like Sicarii underscores the persistent and adaptive nature of cyber threats in the current landscape.