Sicarii Ransomware: A Geopolitically Motivated Threat Emerges with Israeli Affiliations
In December 2025, a new ransomware-as-a-service (RaaS) operation named Sicarii surfaced on underground platforms, distinguishing itself through its overt Israeli or Jewish affiliations. Unlike typical financially driven ransomware groups, Sicarii incorporates Hebrew text, the Haganah symbol, and references to historical Jewish militant groups in its branding an unusual departure from the operational secrecy of most cybercriminal enterprises.
The group explicitly targets organizations in Arab and Muslim countries, employing a geo-fencing mechanism to avoid Israeli systems. The malware checks time zones, keyboard layouts, and IP addresses to confirm local targets before execution, reinforcing its ideological focus.
Technical Sophistication & Attack Chain
Sicarii’s infrastructure is highly advanced, beginning with an anti-virtualization phase that detects sandbox environments and displays fake error messages to evade analysis. Once active, the malware:
- Copies itself to the temporary directory as svchost_{random}.exe.
- Tests internet connectivity via google.com/generate_204 to ensure operational readiness.
- Performs aggressive network reconnaissance, including ARP requests and RDP service scans.
- Exploits Fortinet devices using CVE-2025-64446, a vulnerability enabling lateral movement within compromised networks.
Data Exfiltration & Destructive Payload
The ransomware harvests system credentials, browser data, and application information from platforms like Discord, Slack, Telegram, and cryptocurrency wallets, packaging it into collected_data.zip and exfiltrating via file.io. After data theft, it establishes persistence through:
- Registry modifications
- Service creation
- New user accounts with hardcoded credentials
The encryption phase uses AES-GCM (256-bit keys), appending the .sicarii extension to locked files. A final destructive component corrupts bootloader files, forcing an immediate system shutdown escalating the attack beyond typical ransomware tactics.
Sicarii’s blend of ideological targeting, technical sophistication, and destructive capabilities marks a concerning evolution in ransomware operations, particularly for organizations in its crosshairs.
Source: https://cybersecuritynews.com/new-sicarii-raas-operation-attacks-exposed-rdp-services/
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "FOR1769045821",
"linkid": "fortinet",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['Arab countries', 'Muslim countries'],
'type': 'Organizations'}],
'attack_vector': 'Exploitation of Fortinet devices (CVE-2025-64446), network '
'reconnaissance, credential harvesting',
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (personally identifiable '
'information, financial data)',
'type_of_data_compromised': ['System credentials',
'Browser data',
'Application information '
'(Discord, Slack, Telegram, '
'cryptocurrency wallets)']},
'date_detected': '2025-12-01',
'description': 'In December 2025, a new ransomware-as-a-service (RaaS) '
'operation named Sicarii surfaced on underground platforms, '
'distinguishing itself through its overt Israeli or Jewish '
'affiliations. The group explicitly targets organizations in '
'Arab and Muslim countries, employing a geo-fencing mechanism '
'to avoid Israeli systems. The malware checks time zones, '
'keyboard layouts, and IP addresses to confirm local targets '
'before execution. Sicarii’s infrastructure is highly '
'advanced, beginning with an anti-virtualization phase and '
'performing aggressive network reconnaissance, data '
'exfiltration, and destructive payload execution.',
'impact': {'data_compromised': 'System credentials, browser data, application '
'information (Discord, Slack, Telegram, '
'cryptocurrency wallets)',
'identity_theft_risk': 'High (personally identifiable information '
'and credentials harvested)',
'operational_impact': 'System shutdown due to bootloader '
'corruption, data encryption, and lateral '
'movement',
'payment_information_risk': 'High (cryptocurrency wallet data '
'compromised)',
'systems_affected': 'Systems in Arab and Muslim countries '
'(geo-fenced to exclude Israel)'},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'Exploitation of Fortinet devices '
'(CVE-2025-64446)'},
'motivation': 'Geopolitical (targeting Arab and Muslim countries with '
'Israeli/Jewish affiliations)',
'post_incident_analysis': {'root_causes': 'Exploitation of unpatched Fortinet '
'vulnerability (CVE-2025-64446), '
'lack of geo-fencing detection, '
'insufficient network segmentation'},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Sicarii'},
'references': [{'source': 'Cyber Incident Description'}],
'threat_actor': 'Sicarii Ransomware Group',
'title': 'Sicarii Ransomware: A Geopolitically Motivated Threat Emerges with '
'Israeli Affiliations',
'type': 'Ransomware',
'vulnerability_exploited': 'CVE-2025-64446'}