Sicarii

Sicarii is a ransomware-as-a-service (RaaS) operation first observed in late 2025 / December 2025. It is a functional ransomware threat with extortion, data theft, reconnaissance, persistence, and destructive capabilities, but multiple reports describe it as immature and operationally anomalous. Check Point assessed that Sicarii presents itself as an Israeli/Jewish operation using Hebrew language, historical symbols, and ideological references, while much of its underground activity and affiliate recruitment is conducted in Russian; the Hebrew content reportedly appears machine-translated or non-native, suggesting likely false-flag or performative identity signaling. Sicarii has also been described in reporting as being used by pro-Iranian or pro-Palestinian aligned operators in the broader Middle East ecosystem, and Halcyon reported that in March 2026 its administrator redirected operators toward Baqiyat 313 Locker (BQTlock) due to affiliate demand.

Technically, Sicarii encrypts files using AES-GCM / AES-256-GCM and appends the .sicarii extension. The malware has been reported to generate a new RSA key pair during execution and then discard the private key, a critical cryptographic flaw that makes decryption permanently impossible for victims and operators alike and renders ransom payment futile. This key-handling defect is one of the most consistently reported characteristics of the malware.

Reported behavior includes anti-virtualization / sandbox checks, single-instance execution via mutex, copying itself to a temp directory under an svchost-like randomized filename, and repeated connectivity checks to google.com/generate_204. Sicarii performs host and network reconnaissance, including ARP-based discovery and scanning for exposed RDP services. It steals data including system credentials, browser data, registry hives, and application data from services such as Discord, Slack, Telegram, WhatsApp, Office, Roblox, and Atomic Wallet; some reporting also mentions cryptocurrency wallet theft generally. Stolen data is packaged into collected_data.zip and exfiltrated via file.io. Persistence mechanisms reported include registry Run keys, service creation, and creation of local user accounts with hardcoded credentials such as SysAdmin / Password123!. Some reporting also states it attempts to create a new AWS user without checking whether AWS is installed.

For lateral movement or follow-on compromise, Sicarii has been associated with exploitation of Fortinet devices, including references to CVE-2025-64446. It also includes geo-fencing intended to avoid execution on Israeli systems by checking time zone, keyboard layout, and Israeli IP indicators. A destructive component has been reported as well: startup batch scripts such as destruct.bat that corrupt bootloader files, invoke disk-wiping related commands, and force immediate shutdown.

Targeting reporting is mixed but consistently places Sicarii in the Middle East, Turkey, and Africa region, with at least one reported US-based victim. Check Point reporting also cited operator claims of targeting small businesses. Known high-confidence indicators directly mentioned in the content include the .sicarii file extension, collected_data.zip, exfiltration via file.io, temp-file naming in the form svchost_{random}.exe, the WinDefender service name, the SysAdmin account with password Password123!, and connectivity checks to google.com/generate_204.