Sicarii

Sicarii is a ransomware-as-a-service (RaaS) operation that emerged in late 2025, with reporting placing its appearance in December 2025. It presents itself as an Israeli/Jewish-affiliated group, using Hebrew language, Israeli/Jewish symbolism, and references to historical Jewish groups, but multiple reports assess this identity as likely false-flag or performative. Check Point reported that Sicarii’s underground activity and affiliate recruitment are primarily conducted in Russian, that its Hebrew content appears machine-translated or non-native, and that the operators appear to be Russian speakers. The operation has also been described as immature, centralized, and inconsistent in its public claims. Technically, Sicarii is a functional ransomware threat with data theft, credential theft, reconnaissance, persistence, and destructive capabilities. Reported behavior includes anti-virtualization checks, internet connectivity checks, network reconnaissance via ARP and RDP scanning, credential and application-data theft, exfiltration of collected data, persistence via registry changes and service creation, and file encryption using AES-GCM with the .sicarii extension. Reporting also states the malware can target Fortinet devices, including attempted exploitation of CVE-2025-64446 for lateral movement. Additional reported capabilities include collection of browser, messaging-app, wallet, and system data; LSASS dumping; and deployment of a startup batch script such as destruct.bat to corrupt boot components, wipe disks, and force shutdown. A defining characteristic of Sicarii is a critical cryptographic flaw: the malware generates fresh key material during execution and discards the corresponding private key, making decryption impossible for victims and operators alike. Multiple sources describe this as rendering ransom payment ineffective and making the malware closer to destructive pseudo-ransomware or “destruction-ware” than conventional ransomware. Halcyon assessed with moderate confidence that AI-assisted tooling may have contributed to the poor implementation. Sicarii has been described as mainly targeting entities in the Middle East, Turkey, and Africa region, with one reported US-based victim. It has also been reported to market itself as targeting Arab and Muslim countries while avoiding Israeli systems, and its malware includes geo-fencing checks intended to prevent execution on Israeli hosts. In March 2026, Halcyon reported that Sicarii administrator Uke said the operation could not keep up with affiliate demand and urged pro-Iranian operators to move to Baqiyat 313 Locker, also known as BQTlock. Sicarii and BQTlock were described as separate RaaS platforms used by pro-Palestinian and pro-Iranian regime-affiliated operators.