Close Menu
Cybercrime and Ransomware

New Sicarii RaaS Operation Targets RDP and Fortinet Devices

Staff WriterBy No Comments4 Mins Read1 Views

Fast Facts

  1. In December 2025, the Sicarii ransomware operation emerged as a uniquely ideological group with Israeli/Jewish affiliations, openly displaying Hebrew language and symbols like Haganah.
  2. Unlike typical cybercriminal groups, Sicarii targets organizations in Arab and Muslim countries, employing geo-fencing to exclude Israeli systems and using sophisticated infrastructure for stealth and resilience.
  3. The malware performs network reconnaissance, exploits vulnerabilities like CVE-2025-64446 on Fortinet devices, and exfiltrates extensive data—including credentials and chat info—before encrypting files with AES-GCM and deploying destructive bootloader corruption.
  4. Organizations should focus on patching Fortinet devices, implementing network segmentation, and monitoring for zero-day exploits to defend against this politically motivated and technically advanced ransomware threat.

The Issue

In December 2025, a new ransomware-as-a-service operation called Sicarii emerged on underground platforms. Unlike typical cybercriminal groups, Sicarii explicitly displayed Hebrew language, Israeli symbols, and references to Jewish history. This operation openly identified itself with the Haganah symbol and aimed its attacks at organizations in Arab and Muslim countries, deliberately avoiding Israeli systems. Using sophisticated methods, the malware employed geo-fencing techniques to detect Israeli targets—checking time zones, keyboard layouts, and network IPs—thus ensuring only non-Israeli systems were attacked. Once active, the ransomware conducted network reconnaissance, scanned for exposed RDP services, and exploited known vulnerabilities in Fortinet devices to move laterally within networks. It collected sensitive data from various platforms, encrypted files with AES-256, and then exfiltrated the data before deploying destructive scripts that damaged critical system components. Security analysts from Check Point identified this operation’s complex infrastructure and warned organizations to patch vulnerabilities and implement network segmentation to defend against such targeted offensive cyber activity.

Risk Summary

The issue titled “New Sicarii RaaS Operation Attacks Exposed RDP Services and Attempts to Exploit Fortinet Devices” poses a serious threat to any business because cybercriminals target remote desktop protocol (RDP) services, which are common access points for employees and IT teams. When these services are exposed without proper protections, hackers can gain unauthorized access, leading to data breaches and operational disruptions. Moreover, attempts to exploit vulnerabilities in Fortinet devices—widely used for network security—can result in unauthorized control over critical systems. Consequently, businesses face severe consequences, including financial loss, reputational damage, and legal liabilities. Therefore, understanding and proactively addressing these vulnerabilities is essential to safeguard your business’s infrastructure and maintain trust with clients and partners.

Possible Action Plan

In the rapidly evolving landscape of cybersecurity threats, swift and effective remediation is crucial to minimize damage and prevent future breaches. When attackers target exposed RDP services and attempt to exploit vulnerabilities in Fortinet devices, prompt action is essential to contain the threat, protect sensitive data, and maintain organizational resilience.

Containment Strategies

  • Isolate affected systems from the network to prevent lateral movement.
  • Disable or change compromised accounts and credentials immediately.

Vulnerability Patching

  • Apply the latest security patches for RDP services and Fortinet devices.
  • Regularly update firmware and software to fix known vulnerabilities.

Access Control

  • Implement strong, multi-factor authentication for remote access.
  • Restrict RDP access to only necessary IP addresses and protocols.

Monitoring & Detection

  • Enable comprehensive logging on RDP and Fortinet devices.
  • Use intrusion detection systems to identify malicious activity early.

Communication & Reporting

  • Notify relevant internal teams and external authorities as required.
  • Document the incident and remediation efforts for analysis and compliance.

Security Enhancements

  • Deploy VPNs or bastion hosts to secure remote connections.
  • Consider deploying Web Application Firewalls or other protective measures around vulnerable endpoints.

Acting quickly with these mitigations helps secure organizational assets, reduce risk exposure, and strengthen defenses against ongoing and future attacks.

Continue Your Cyber Journey

Stay informed on the latest Threat Intelligence and Cyberattacks.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.