Sicarii
| RaaS
Sicarii is a pro-Israeli/Jewish-branded ransomware-as-a-service operation that emerged in late 2025, explicitly targeting Arab and Muslim-majority organizations while avoiding Israeli systems, exploiting exposed RDP services and Fortinet devices, with its admin later instructing operators to migrate to the BQTLock platform.
Victims
1
First Discovered
2026-01-05
victim
Last Discovered
2026-01-05
victim
Inactive Since
138
days
Avg Delay
N/A
attack→claim
Infostealer
0.0%
victims with domain
Countries
1
hit
Attack Velocity — Last 12 months
Known Locations (2)
| Favicon | Title | Type | Available | Last Visit | Server Info | FQDN | |
|---|---|---|---|---|---|---|---|
|
403 Forbidden | No | 2026-04-28T07:26:32 |
sicari7zpu3mtxqggde7mu3ywppntdqg22arcukvlaihjbfcb2rnktid.onion
|
|||
|
404 Not Found | No | 2026-04-28T07:29:04 |
sicarilxx2br6esqnhad4w26bcgb5j2snbbnhyo4b6t7kby2oy4x3jad.onion
|
Target
Top 5 Activity Sectors
- Manufacturing 1
Top 5 Countries
-
United States
1
Heatmap
TTPs Matrix (14)
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Impact | Resource Development | Reconnaissance |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Account Manipulation | Exploitation for Privilege Escalation | Obfuscated Files or Information | OS Credential Dumping | System Service Discovery | Remote Services: Remote Desktop Protocol | Data from Local System | Exfiltration Over C2 Channel | Data Obfuscation: Protocol or Service Impersonation | Data Destruction | Acquire Infrastructure: Domains | Gather Victim Identity Information: Email Addresses |
| Drive-by Compromise | Scheduled Task/Job: Scheduled Task | Server Software Component: IIS Components | Access Token Manipulation | Obfuscated Files or Information: Software Packing | Input Capture | Application Window Discovery | Remote Services: SMB/Windows Admin Shares | Data Staged | Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol | Fallback Channels | Data Encrypted for Impact | Acquire Infrastructure: Server | Gather Victim Org Information |
| Exploit Public-Facing Application | Command and Scripting Interpreter | Pre-OS Boot: Bootkit | Access Token Manipulation: Create Process with Token | Obfuscated Files or Information: Indicator Removal from Tools | Input Capture: Keylogging | Query Registry | Remote Services: SSH | Data Staged: Local Data Staging | Exfiltration Over Web Service: Exfiltration to Cloud Storage | Application Layer Protocol | Service Stop | Acquire Infrastructure: Web Services | Gather Victim Org Information: Identify Roles |
| Phishing | Command and Scripting Interpreter: PowerShell | Create or Modify System Process: Windows Service | Create or Modify System Process | Obfuscated Files or Information: Dynamic API Resolution | Brute Force: Password Spraying | System Network Configuration Discovery | Internal Spearphishing | Email Collection | Application Layer Protocol: Web Protocols | Inhibit System Recovery | Compromise Infrastructure: Domains | Search Open Websites/Domains: Social Media | |
| Phishing: Spearphishing Attachment | Command and Scripting Interpreter: Windows Command Shell | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Obfuscated Files or Information: Embedded Payloads | Steal Web Session Cookie | System Owner/User Discovery | Archive Collected Data | Proxy: Internal Proxy | Defacement: Internal Defacement | Compromise Infrastructure: Server | ||||
| Phishing: Spearphishing Link | Command and Scripting Interpreter: Visual Basic | Boot or Logon Autostart Execution: Shortcut Modification | Obfuscated Files or Information: Encrypted/Encoded File | Unsecured Credentials | Network Service Discovery | Archive Collected Data: Archive via Utility | Proxy: External Proxy | System Shutdown/Reboot | Establish Accounts: Social Media Accounts | ||||
| Phishing: Spearphishing Voice | Native API | Hijack Execution Flow: DLL Search Order Hijacking | Masquerading | Unsecured Credentials: Credentials In Files | System Network Connections Discovery | Archive Collected Data: Archive via Library | Web Service: Bidirectional Communication | Disk Wipe | Establish Accounts: Email Accounts | ||||
| Shared Modules | Masquerading: Rename Legitimate Utilities | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning | Process Discovery | Archive Collected Data: Archive via Custom Method | Multi-Stage Channels | Disk Wipe: Disk Content Wipe | Develop Capabilities: Malware | ||||||
| Exploitation for Client Execution | Masquerading: Masquerade Task or Service | System Information Discovery | Ingress Tool Transfer | Disk Wipe: Disk Structure Wipe | Develop Capabilities: Code Signing Certificates | ||||||||
| User Execution | Masquerading: Match Legitimate Name or Location | File and Directory Discovery | Data Encoding: Standard Encoding | Obtain Capabilities: Tool | |||||||||
| User Execution: Malicious Link | Masquerading: Masquerade File Type | Account Discovery | Non-Standard Port | Obtain Capabilities: Code Signing Certificates | |||||||||
| User Execution: Malicious File | Process Injection: DLL Injection | Account Discovery: Domain Account | Encrypted Channel | Obtain Capabilities: Digital Certificates | |||||||||
| Indicator Removal | Time Discovery | Encrypted Channel: Symmetric Cryptography | Stage Capabilities: Upload Malware | ||||||||||
| Indicator Removal: Clear Command History | Network Share Discovery | Stage Capabilities: Upload Tool | |||||||||||
| Indicator Removal: File Deletion | Software Discovery | ||||||||||||
| Indicator Removal: Timestomp | System Location Discovery | ||||||||||||
| Deobfuscate/Decode Files or Information | System Location Discovery: System Language Discovery | ||||||||||||
| Indirect Command Execution | |||||||||||||
| System Binary Proxy Execution | |||||||||||||
| System Binary Proxy Execution: Mshta | |||||||||||||
| System Binary Proxy Execution: Regsvr32 | |||||||||||||
| System Binary Proxy Execution: Rundll32 | |||||||||||||
| XSL Script Processing | |||||||||||||
| Template Injection | |||||||||||||
| File and Directory Permissions Modification | |||||||||||||
| Virtualization/Sandbox Evasion: System Checks | |||||||||||||
| Virtualization/Sandbox Evasion: Time Based Checks | |||||||||||||
| Abuse Elevation Control Mechanism | |||||||||||||
| Subvert Trust Controls: Code Signing | |||||||||||||
| Impair Defenses | |||||||||||||
| Impair Defenses: Disable or Modify Tools | |||||||||||||
| Impair Defenses: Disable or Modify System Firewall | |||||||||||||
| Hidden Artifacts: Hidden Files and Directories | |||||||||||||
| Hijack Execution Flow: KernelCallbackTable | |||||||||||||
| Reflective DLL Injection | |||||||||||||
| Debugger Evasion |
YARA Rules (1)
Indicators of Compromise (IoCs) (1)
tox
1
| Type | IOC |
|---|---|
tox
|
2368C617830435DD74C41323BD684F04627A8047F92A885419E0191AC21F6D49733E4FF2C60E
|
Victims (1)
חברת Triad Packaging סבלה מהדלפת נתונים גדולה. 102 גיגה-בייט של נתונים רגישים נגנבו כולל מסמכים פנימ…