Home > Security > Security News

Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Confused Hackers - Reading - Dictionary
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Deceptive Branding: Sicarii is a new RaaS that surfaced in late 2025 with explicit Israeli and Jewish branding, despite evidence suggesting non-native Hebrew speakers.
  • Geographic Evasion: The malware includes a unique geo-fencing mechanism that actively checks for Israeli system configurations to prevent execution on local devices
  • Technical Capabilities: It features AES-GCM encryption, advanced reconnaissance tools, CVE-2025-64446 exploitation capabilities, and data exfiltration mechanisms.

The newly identified Ransomware-as-a-Service (RaaS) group Sicarii has emerged, presenting a unique anomaly in the cybercrime landscape. It overtly aligns itself with Israeli and Jewish symbolism, but cybersecurity analysts caution that this branding may be a performative tactic rather than a genuine ideological stance. 

Check Point Research (CPR) Intelligence indicates that while the group uses Hebrew iconography, their underground communications are conducted primarily in fluent Russian, with Hebrew content appearing to be machine-translated.

Technical Sophistication and Data Exfiltration

The Sicarii ransomware demonstrates significant technical competence typical of modern cybersecurity threats. Upon infection, the malware performs environment checks to detect sandboxes and virtual machines (VMs), and: 

CVE-2025-64446 exploitation code | Source: CPR
CVE-2025-64446 exploitation code | Source: CPR

It then initiates a comprehensive data theft process, harvesting credentials from platforms such as Discord, Slack, Roblox, Telegram, Office, WhatsApp, Atomic Wallet, as well as system files. The ransomware also registers a destruct.bat script to execute at system startup that corrupts critical bootloader files, leveraging built-in Windows utilities to perform disk-wiping operations.

The report mentions that an operator posing as Sicarii’s communications lead made some self-reported operational claims in private communications, alleging that Sicarii:

A Sicarii operator Telegram account’s profile image features an image associated with the banned Israeli extremist organization called Kach.

Implications for Cyber Defense

The emergence of Sicarii highlights the evolving complexity of attribution in cyber warfare. Furthermore, the inclusion of a destructive component indicates a potential shift from pure extortion to systemic disruption. 

Reports this week announced the emergence of a new threat, as the novel Devixor malware combines a banking RAT and ransomware, targeting Iranian banks and crypto platforms.

Add a Comment
Related
Access Controls - Text Boxes - Check Boxes - Credentials - Questions Mark
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Hacker - Phishing - Skull - Data
RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
Malware Target
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
JPMorgan
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
Most Popular
Access Controls - Text Boxes - Check Boxes - Credentials - Questions Mark
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Hacker - Phishing - Skull - Data
RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
Malware Target
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
JPMorgan
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors

Most Popular
Access Controls - Text Boxes - Check Boxes - Credentials - Questions Mark
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Hacker - Phishing - Skull - Data
RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled
Target
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
Bank Building - Data Stream - Man
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
Malware Target
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
JPMorgan
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
RedVDS Cybercrime-as-a-Service Disrupted by Germany, Europol, and Microsoft in Coordinated Takedown, Phishing Infrastructure Disabled
Target Source Code Leak Confirmed by Employees, Git Server Locked Down
New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
VoidLink Cloud-Native Malware Framework Targets Linux Systems via Custom Plugin API
JPMorgan Discloses Supply Chain Breach at Law Firm That Impacts Over 650 Investors

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: