Sicarii Ransomware Masquerades as Israeli Hacktivists

Security researchers at Check Point have released an analysis of Sicarii, a Ransomware-as-a-Service (RaaS) group that emerged in late 2025. While the group aggressively brands itself as a patriotic Israeli and Jewish organization, the evidence suggests this persona is likely a sophisticated “false flag” operation designed to obscure the true identity of its operators—who appear to be Russian speakers.

The group, named after the 1st-century Jewish assassins, presents a confusing profile that deviates sharply from the norms of financially motivated cybercrime.

On the surface, Sicarii seems deeply ideological. The group’s branding is saturated with “Hebrew language, historical symbols, and extremist right-wing ideological references”. They even implemented a technical “geo-fencing check” in their malware to prevent it from executing on systems located in Israel, a move intended to signal loyalty to the state.

However, the analysis reveals that this identity is likely skin-deep. “Hebrew content used by the group appears to be machine-translated or non-native and contains grammatical and semantic errors,” the report notes, undermining their claims of authenticity.

Beneath the Hebrew branding lies a very different reality. The researchers found that the group’s “underground online activity… is primarily conducted in Russian,” including their recruitment posts for affiliates.

Furthermore, the group’s behavior on Telegram and underground forums betrays their facade. “Sicarii repeatedly asserts national and ideological identity in ways that provide no clear operational benefit,” the report states. “Instead, the operation appears to leverage performative identity signaling layered onto an immature ransomware capability”.

The operators have even compared themselves to Russian ransomware heavyweights like Qilin and Cl0p, attempting to justify their avoidance of domestic targets. Yet, unlike those professional cartels, Sicarii’s operation is described as “centralized and informal, with early-stage tooling,” suggesting a lack of maturity.

Despite the theatrical deception, the threat is real. Sicarii is a functional ransomware capability. It includes standard malicious features such as “data exfiltration, collecting system credentials and network information,” and the ability to exploit vulnerabilities in Fortinet devices. Files are encrypted using AES-GCM and appended with the .sicarii extension.

The Check Point analysis concludes that Sicarii’s self-proclaimed identity should be viewed with extreme skepticism. “Sicarii’s self-description should not necessarily be taken at face value,” the report warns, suggesting that the branding is likely an “identity manipulation or influence-oriented signaling” tactic rather than a reflection of genuine ideological motives.

Related Posts:

• Trump Unleashes “AI Action Plan”: Deregulation Push, “Ideological Bias” Crackdown & Federal Lands for Data Centers
• Click-to-Compromise: PowerShell-Only RAT Campaign Targets Israeli Organizations
• Microsoft Disables Azure and AI Services Used by Israeli Military for Mass Surveillance in Gaza
• Microsoft’s Azure Used for Mass Surveillance in Gaza and West Bank