One of the most influential publications on real-world AI system design is Anthropic’s guide, Building Effective Agents. Its core message is simple: Effective AI requires structure first, adaptability second.
Anthropic emphasizes that AI agents work best when:
A deterministic workflow does all the structured work up front
The agent only activates when uncertainty remains
The agent begins with full context, not an empty slate
Tool usage is controlled and evidence-driven
Human-in-the-loop remains central for oversight and trust
These principles ensure accuracy, avoid hallucinations and keep investigations reproducible, all critical requirements for cybersecurity.
Intezer Forensic AI SOC is built on exactly this philosophy. Our platform uses a dual-mode design with Intezer AI Workflow and AI Agent, completely aligning with Anthropic’s best practices to deliver fast, scalable and highly accurate investigations across a broad range of alerts, all while keeping analysts in the loop.
Here is how Intezer implements Anthropic’s best practices for agents.
Structured first: Intezer AI Workflow handles the majority of alerts
Anthropic advises that AI systems should begin with deterministic workflows instead of free-form reasoning. In cybersecurity, this is essential for accuracy, auditability, trust and scalability (when handling huge volumes of alerts).
Intezer’s AI Workflow mode is a structured triage process designed by security experts and executed with strict consistency. It applies AI only at key decision points, not as the driver of the entire investigation.
This approach provides:
Deterministic, reproducible results
High speed due to streamlined, parallelizable steps
Lower costs because heavy reasoning is used sparingly
No drift or unexpected branching
Clear human oversight points
Most alerts, especially well-defined ones, are fully resolved at this stage, giving SOCs broad alert coverage at low cost.
Adaptive only when needed: Intezer AI Agent extends the investigation
Anthropic states that agents should activate only when the structured workflow reaches uncertainty, and only after they inherit the full context. Intezer follows this exactly.
AI Agent mode activates only when the Workflow cannot reach a high-confidence verdict.
At that point, the agent:
Starts with all evidence collected so far
Avoids premature assumptions
Uses tools deliberately and contextually
Expands the investigation where human analysts would
Surfaces deeper behavioral patterns or cross-asset correlations
This ensures the agent is guided, not free-floating, and its decisions remain grounded in evidence, not guesswork.
Tools the AI Agent can leverage once activated
Dynamic SIEM queries
EDR/XDR telemetry lookups
Identity provider (IDP) investigation
Behavioral analysis of processes and command lines
User activity mapping
Process ancestry and parent-child correlation
Intezer’s historical alert database
Code DNA similarity and malware lineage tracking
Additional host, memory, or file-based forensics
The result is deeper investigation where it matters, without unnecessary cost.
Human-in-the-loop by design
Intezer keeps human analysts at the center so they can review and override conclusions, and trace every decision made by Intezer. Of course, all evidence and reasoning is grounded in forensic data and is fully transparent and explainable for beginners and advanced analysts alike.
This aligns with Anthropic’s principle that humans remain final decision-makers, especially in high-stakes domains like cybersecurity.
How this architecture improves SOC performance
Intezer’s adherence to Anthropic’s best practices produces measurable outcomes across the three most important SOC metrics: accuracy, coverage, and speed, while also reducing cost.
Accuracy
Intezer’s approach of combining deterministic forensics + adaptive AI = best-in-class verdict quality.
The structured workflow prevents hallucinations
The AI Agent only activates with strong guardrails
Context inheritance ensures consistent reasoning
Analysts always have visibility and control
This hybrid approach dramatically reduces false positives and prevents premature conclusions.
Triage of all alerts, including low-severity (where threats often hide)
Because AI Workflows handle the bulk of alerts inexpensively and AI Agents only run when needed, heavy and expensive reasoning calls are minimized
This frees SOCs from cherry-picking which alerts to ingest allowing them to triage and investigate them all.
This is crucial for:
High-volume enterprise environments
MSSPs with strict SLAs
Cloud-scale detection pipelines
24/7 monitoring teams
You get broad alert coverage without inflating compute costs.
Speed: Structured steps + adaptive depth
Workflow mode resolves most alerts within seconds
Agents accelerate investigations that normally take analysts hours
No bottlenecks, no backlog, no manual evidence gathering
The result is a SOC where every alert is investigated quickly, consistently, and with forensic depth.
Table of how Intezer’s design reflects Anthropic’s guidance
Anthropic best practice
How Intezer implements it
Start with deterministic workflows
AI Workflow handles structured triage with predefined expert steps
Activate agents only when needed
AI Agent triggers only when confidence is insufficient
Give agents full context
Agent inherits the entire Workflow evidence set
Control tool usage
Agent selects tools based on evidence, not speculation
Maintain human-in-the-loop
Analysts can verify, guide, and override conclusions
Prioritize safety and reproducibility
Every action is logged, justified, and traceable
Conclusion: Anthropic’s Agent principles in a real SOC
Anthropic’s framework for building effective agents is now influencing industries far beyond general AI research. Intezer Forensic AI SOC might be one of the strongest real-world implementations of these practices in cybersecurity.
By combining:
Deterministic workflows for reliable baseline investigations
As organizations rapidly embrace generative and agentic AI, ensuring robust, unified governance has never been more critical. That’s why Microsoft is honored to be named a Leader in the 2025-2026 IDC MarketScape for Worldwide Unified AI Governance Platforms (Vendor Assessment (#US53514825, December 2025). We believe this recognition highlights our commitment to making AI innovation safe, responsible, and enterprise-ready—so you can move fast without compromising trust or compliance.
Figure 1. IDC MarketScape vendor analysis model is designed to provide an overview of the competitive fitness of technology and suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each supplier’s position within a given market. The Capabilities score measures supplier product, go-to-market and business execution in the short term. The Strategy score measures alignment of supplier strategies with customer requirements in a three- to five-year timeframe. Supplier market share is represented by the size of the icons.
The urgency for a unified AI governance strategy is being driven by stricter regulatory demands, the sheer complexity of managing AI systems across multiple AI platforms and multicloud and hybrid environments, and leadership concerns for risk related to negative brand impact. Centralized, end-to-end governance platforms help organizations reduce compliance bottlenecks, lower operational risks, and turn governance into a strategic driver for responsible AI innovation. In today’s landscape, unified AI governance is not just a compliance obligation—it is critical infrastructure for trust, transparency, and sustainable business transformation.
Our own approach to AI is anchored to Microsoft’s Responsible AI standard, backed by a dedicated Office of Responsible AI. Drawing from our internal experience in building, securing, and governing AI systems, we translate these learnings directly into our AI management tools and security platform. As a result, customers benefit from features such as transparency notes, fairness analysis, explainability tools, safety guardrails, regulatory compliance assessments, agent identity, data security, vulnerability identification, and protection against cyberthreats like prompt-injection attacks. These tools enable them to develop, secure, and govern AI that aligns with ethical principles and is built to help support compliance with regulatory requirements. By integrating these capabilities, we empower organizations to make ethical decisions and safeguard their business processes throughout the entire AI lifecycle.
Microsoft’s AI Governance capabilities aim to provide integrated and centralized control for observability, management, and security across IT, developer, and security teams, ensuring integrated governance within their existing tools. Microsoft Foundry acts as our main control point for model development, evaluation, deployment, and monitoring, featuring a curated model catalog, machine learning oeprations, robust evaluation, and embedded content safety guardrails. Microsoft Agent 365, which was not yet available at the time of the IDC publication, provides a centralized control plane for IT, helping teams confidently deploy, manage, and secure their agentic AI published through Microsoft 365 Copilot, Microsoft Copilot Studio, and Microsoft Foundry.
Deeply embedded security systems are integral to Microsoft’s AI governance solution. Integrations with Microsoft Purview provide real-time data security, compliance, and governance tools, while Microsoft Entra provides agent identity and controls to manage agent sprawl and prevent unauthorized access to confidential resources. Microsoft Defender offers AI-specific posture management, threat detection, and runtime protection. Microsoft Purview Compliance Manager automates adherence to more than 100 regulatory frameworks. Granular audit logging and automated documentation bolster regulatory and forensic capabilities, enabling organizations in regulated industries to innovate with AI while maintaining oversight, secure collaboration, and consistent policy enforcement.
Guidance for security and governance leaders and CISOs
To empower organizations in advancing their AI transformation initiatives, it is crucial to focus on the following priorities for establishing a secure, well-governed, and scalable AI framework. The guidance below provides Microsoft’s recommendations for fulfilling these best practices:
CISO guidance
What it means
How Microsoft delivers
Adopt a unified, end‑to‑end governance platform
Establish a comprehensive, integrated governance system covering traditional machine learning, generative AI, and agentic AI. Ensure unified oversight from development through deployment and monitoring.
Microsoft enables observability and governance at every layer across IT, developer, and security teams to provide an integrated and cohesive governance platform that enables teams to play their part from within the tools they use. Microsoft Foundry acts as the developer control plane, connecting model development, evaluation, security controls, and continuous monitoring. MicrosoftAgent 365 is the control plane for IT, enabling discovery, security, deployment, and observability for agentic AI in the enterprise. MicrosoftPurview,Entra, and Defender integrate to deliver consistent full-stack governance across data, identity, threat protection, and compliance.
Industry‑leading responsible AI infrastructure
Implement responsible AI practices as a foundational part of engineering and operations, with transparency and fairness built in.
Microsoft embeds its Responsible AI Standards into our engineering processes, supported by the Office of Responsible AI. Automatic generation of model cards and built-in fairness mechanisms set Microsoft apart as a strategic differentiator, pairing technical controls with mature governance processes. Microsoft’s Responsible AI Transparency Report provides visibility to how we develop and deploy AI models and systems responsibility and provides a model for customers to emulate our best practices.
Advanced security and real‑time protection
Provide robust, real-time defense against emerging AI security threats, especially for regulated industries.
Microsoft’s platform features real-time jailbreak detection, encrypted agent-to-agent communication, tamper-evident audit logs for model and agent actions, and deep integration with Defender to provide AI-specific threat detection, security posture management, and automated incident response capabilities. These capabilities are especially critical for regulated sectors.
Automated compliance at scale
Automate compliance processes, enable policy enforcement throughout the AI lifecycle, and support audit readiness across hybrid and multicloud environments.
Microsoft Purview streamlines compliance adherence for regulatory requirements and provides comprehensive support for hybrid and multicloud deployments—giving customers repeatable and auditable governance processes.
We believe we are differentiated in the AI governance space by delivering a unified, end-to-end platform that embeds responsible AI principles and robust security at every layer—from agents and applications to underlying infrastructure. Through native integration of Microsoft Foundry, Microsoft Agent 365, Purview, Entra, and Defender, organizations benefit from centralized oversight and observability across the layers of the organization with consistent protection and operationalized compliance across the AI lifecycle. Our comprehensive approach removes disparate and disconnected tooling, enabling organizations to build trustworthy, transparent, and secure AI solutions that can start secure and stay secure. We believe this approach uniquely differentiates Microsoft as a leader in operationalizing responsible, secure, and auditable AI at scale.
Strengthen your security strategy with Microsoft AI governance solutions
Agentic and generative AI are reshaping business processes, creating a new frontier for security and governance. Organizations that act early and prioritize governance best practices—unified governance platforms, build-in responsible AI tooling, and integrated security—will be best positioned to innovate confidently and maintain trust.
Microsoft approaches AI governance with a commitment to embedding responsible practices and robust security at every layer of the AI ecosystem. Our AI governance and security solutions empower customers with built-in transparency, fairness, and compliance tools throughout engineering and operations. We believe this approach allows organizations to benefit from centralized oversight, enforce policies consistently across the entire AI lifecycle, and achieve audit readiness—even in the rapidly changing landscape of generative and agentic AI.
Read our latest Security for AI blog to learn more about our latest capabilities
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
Recently, fake LinkedIn profiles have started posting comment replies claiming that a user has “engaged in activities that are not in compliance” with LinkedIn’s policies and that their account has been “temporarily restricted” until they submit an appeal through a specified link in the comment.
The comments come in different shapes and sizes, but here’s one example we found.
The accounts posting the comments all try to look like official LinkedIn bots and use various names. It’s likely they create new accounts when LinkedIn removes them. Either way, multiple accounts similar to the “Linked Very” one above were reported in a short period, suggesting automated creation and posting at scale.
The same pattern is true for the links. The shortened link used in the example above has already been disabled, while others point directly to phishing sites. Scammers often use shortened LinkedIn links to build trust, making targets believe the messages are legitimate. Because LinkedIn can quickly disable these links, attackers likely test different approaches to see which last the longest.
Here’s another example:
Malwarebytes blocks this last link based on the IP address:
If users follow these links, they are taken to a phishing page designed to steal their LinkedIn login details:
Image courtesy of BleepingComputer
A LinkedIn spokesperson confirmed to BleepingComputer they are aware of the situation:
“I can confirm that we are aware of this activity and our teams are working to take action.”
Stay safe
In situations like this awareness is key—and now you know what to watch for. Some additional tips:
Don’t click on unsolicited links in private messages and comments without verifying with the trusted sender that they’re legitimate.
Always log in directly on the platform that you are trying to access, rather than through a link.
Use a password manager, which won’t auto-fill in credentials on fake websites.
Use a real-time, up-to-date anti-malware solution with a web protection module to block malicious sites.
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Over the past year, Microsoft Threat Intelligence observed the proliferation of RedVDS, a virtual dedicated server (VDS) provider used by multiple financially motivated threat actors to commit business email compromise (BEC), mass phishing, account takeover, and financial fraud. Microsoft’s investigation into RedVDS services and infrastructure uncovered a global network of disparate cybercriminals purchasing and using to target multiple sectors, including legal, construction, manufacturing, real estate, healthcare, and education in the United States, Canada, United Kingdom, France, Germany, Australia, and countries with substantial banking infrastructure targets that have a higher potential for financial gain. In collaboration with law enforcement agencies worldwide, Microsoft’s Digital Crimes Unit (DCU) recently facilitated a disruption of RedVDS infrastructure and related operations.
RedVDS is a criminal marketplace selling illegal software and services that facilitated and enabled cybercrime. The marketplace offers a simple and feature-rich user interface for purchasing unlicensed and inexpensive Windows-based Remote Desktop Protocol (RDP) servers with full administrator control and no usage limits – a combination eagerly exploited by cybercriminals. Microsoft’s investigation into RedVDS revealed a single, cloned Windows host image being reused across the service, leaving unique technical fingerprints that defenders could leverage for detection.
Microsoft tracks the threat actor who develops and operates RedVDS as Storm-2470. We have observed multiple cybercriminal actors, including Storm-0259, Storm-2227, Storm-1575, Storm-1747, and phishing actors who used the RacoonO365 phishing service prior its coordinated takedown, leveraging RedVDS infrastructure. RedVDS launched their website in 2019 and has been operating publicly since to offer servers in locations including the United States, United Kingdom, Canada, France, Netherlands, and Germany. The primary website used the redvds[.]com domain, with secondary domains at redvds[.]pro and vdspanel[.]space.
RedVDS uses a fictitious entity claiming to operate and be governed by Bahamian Law. RedVDS customers purchased the service through cryptocurrency, primarily Bitcoin and Litecoin, adding another layer of obfuscation to illicit activity. Additionally, RedVDS supports a broad range of digital currency, including Monero, Binance Coin, Avalanche, Dogecoin, and TRON.
The mass scale of operations facilitated by RedVDS infrastructure and roughly US $40 million in reported fraud losses driven by RedVDS‑enabled activity in the United States alone since March 2025 underscore the threat of an invisible infrastructure providing scalability and ease for cybercriminals to access target networks. In this blog, we share our analysis of the technical aspects of RedVDS: its infrastructure, provisioning methods, and the malware and tools deployed on RedVDS hosts. We also provide recommendations to protect against RedVDS-related threats such as phishing attacks.
Figure 1: Heat map of attacks leveraging RedVDS infrastructure
Uncovering the RedVDS Infrastructure
Microsoft Threat Intelligence investigations revealed that RedVDS has become a prolific tool for cybercriminals in the past year, facilitating thousands of attacks including credential theft, account takeovers, and mass phishing. RedVDS offers its services for a nominal fee, making it accessible for cybercriminals worldwide.
Over time, Microsoft Threat Intelligence identified attacks showing thousands of stolen credentials, invoices stolen from target organizations, mass mailers, and phish kits, indicating that multiple Windows hosts were all created from the same base Windows installation. Additional investigations revealed that most of the hosts were created using a single computer ID, signifying that the same Windows Eval 2022 license was used to create these hosts. By using the stolen license to make images, Storm-2470 provided its services at a substantially lower cost, making it attractive for threat actors to purchase or acquire RedVDS services.
Anatomy of RedVDS Infrastructure
Figure 2. RedVDS tool infrastructureFigure 3. RedVDS user interface
Service model and base image: RedVDS provided virtual Windows cloud servers, which were generated from a single Windows Server 2022 image, through RDP. All RedVDS instances identified by Microsoft used the same computer name, WIN-BUNS25TD77J, an anomaly that stood out because legitimate cloud providers randomize hostnames. This host fingerprint appears in RDP certificates and system telemetry, serving as a core indicator of RedVDS activity. The underlying trick is that Storm-2470 created one Windows virtual machine (VM) and repeatedly cloned it without customizing the system identity.
Automated provisioning: The RedVDS operator employed Quick Emulator (QEMU) virtualization combined with VirtIO drivers to rapidly generate cloned Windows instances on demand. When a customer ordered a server, an automated process copied the master VM image (with the pre-set hostname and configuration) onto a new host. This yielded new servers that are clones of the original, using the same hostname and baseline hardware IDs, differing only by IP address and hostname prefix in some cases. This uniform deployment strategy allowed RedVDS to stand up fresh RDP hosts within minutes, a scalability advantage for cybercriminals. It also meant that all RedVDS hosts shared certain low-level identifiers (for example, identical OS installation IDs and product keys), which defenders could potentially pivot on if exposed in telemetry.
Figure 6. RedVDS user interface
Payment and access: The RedVDS service operated using an online portal,RedVDS[.]com, where access was sold for cryptocurrency, often Bitcoin, to preserve anonymity. After payment, customers received credentials to sign in using Remote Desktop. Notably, RedVDS did not impose usage caps or maintain activity logs (according to its own terms of service), making it attractive for illicit use. Additionally, the use of unlicensed software allowed RedVDS to offer its services at a nominal cost, making it more accessible for threat actors as a prolific tool for cybercriminal activity.
Hosting footprint: RedVDS did not own physical datacenters; instead, it rented servers from third-party hosting providers to run its service. We traced RedVDS nodes to at least five hosting companies in the United States, Canada, United Kingdom, France, and Netherlands. These providers offer bare-metal or virtual private server (VPS) infrastructure. By distributing across multiple providers and countries, RedVDS could provision IP addresses in geolocations close to targets (for example, a US victim might be attacked from a US-based IP address), helping cybercriminals evade geolocation-based security filters. It also meant that RedVDS traffic blended with normal data center traffic, requiring defenders to rely on deeper fingerprints (like the host name or usage patterns) rather than IP address alone.
Figure 7: Footprint of RedVDS hosting providers December 2025
We observed RedVDS most commonly hosted within the following AS/ASNs from December 5 to 19, 2025:
Figure 8. AS/ASNs hosting RedVDS
Malware and tooling on RedVDS hosts
RedVDS is an infrastructure service that facilitated malicious activity, but unlike malware, it did not perform harmful actions itself; the threat came from how criminals used the servers after provisioning. Our investigation found that RedVDS customers consistently set up a standard toolkit of malicious or dual-use software on their rented servers to facilitate their campaigns. By examining multiple RedVDS instances, we identified a recurring set of tools:
Mass mailer utilities: A variety of spam/phishing email tools were installed to send bulk emails. We observed examples like SuperMailer, UltraMailer, BlueMail, SquadMailer, and Email Sorter Pro/Ultimate on RedVDS machines. These programs are designed to import lists of email addresses and blast out phishing emails or scam communications at scale. They often include features to randomize content or schedule sends, helping cybercriminals manage large phishing campaigns directly from the RedVDS host.
Email address harvesters: We found tools, such as Sky Email Extractor, that allowed cybercriminals to scrape or validate large numbers of email addresses. These helped build victim lists for phishing. We also found evidence of scripts or utilities to sort and clean email lists (to remove bounces, duplicates, and others), indicating that RedVDS users were managing mass email operations end-to-end on these servers.
Privacy and OPSEC tools: RedVDS hosts had numerous applications to keep the operators’ activities under the radar. For example, we observed installations of privacy-focused web browsers (likeWaterfox, Avast Secure Browser, Norton Private Browser), and multiple virtual private network (VPN) clients (such as NordVPN and ExpressVPN). Cybercriminals likely used these to route traffic through other channels (or to access criminal forums safely) from their RedVDS server, and to ensure any browsing or additional communications from the server were masked. Also present was SocksEscort, a proxy/socksifier tool, hinting that some RedVDS tenants ran malware that required SOCKS proxies to reach targets.
Remote access and management: Many RedVDS instances had AnyDesk installed. AnyDesk is a legitimate remote desktop tool, suggesting that criminals might have used it to sign in to and control their RedVDS boxes more conveniently or even share access among co-conspirators.
Automation and scripting: We found evidence of scripting environments and attempts to use automation services. For example, Python was installed on some RedVDS hosts (with scripts for tasks like parsing data), and one actor attempted to use Microsoft Power Automate (Flow) to programmatically send emails using Excel, though their attempt was not fully successful. Additionally, some RedVDS users leveraged ChatGPT or other OpenAI tools to overcome language barriers when writing phishing lures. Consequently, non‑English‑speaking operators could generate more polished English‑language lure emails by using AI tools on the compromised RedVDS host.
Figure 9. Proposal invitation rendered by Power Automate using RedVDS infrastructure
Below is a summary table of tool categories observed on RedVDS hosts and their primary purpose:
Category
Examples
Primary use
Mass mailing
SuperMailer, UltraMailer, BlueMail, SquadMailer
Bulk phishing email distribution and campaign management
Email address harvesting
Sky Email Extractor, Email Sorter Pro/Ultimate
Harvesting target emails and cleaning email lists (list hygiene)
Convenient multi-host access for cybercriminals; remote control of RedVDS servers beyond RDP (or sharing access)
Table 1. Common tools observed on RedVDS servers
Website
Business or service
www.apollo.io
Business-to-business (B2B) sales lead generator
www.copilot.microsoft.com
Microsoft Copilot
www.quillbot.com
Writing assistant
www.veed.io
Video editing
www.grammarly.com
Writing assistant
www.braincert.com
E-learning tools
login.seamless.ai
B2B sales lead generator
Table 2. AI tools seen used on RedVDS
Mapping the RedVDS attack chain
Threat actors used RedVDS because it provided a highly permissive, low-cost, resilient environment where they could launch and conceal multiple stages of their operation. Once provisioned, these cloned Windows hosts gave actors a ready‑made platform to research targets, stage phishing infrastructure, steal credentials, hijack mailboxes, and execute impersonation‑based financial fraud with minimal friction. Threat actors benefited from RedVDS’s unrestricted administrative access and negligible logging, allowing them to operate without meaningful oversight. The uniform, disposable nature of RedVDS servers allowed cybercriminals to rapidly iterate campaigns, automate delivery at scale, and move quickly from initial targeting to financial theft.
Figure 10. Example of RedVDS attack chain
Reconnaissance
RedVDS operators leveraged their provisioned server to gather intelligence on fraud targets and suppliers, collecting organizational details, payment workflows, and identifying key personnel involved in financial transactions. This information helped craft convincing spear-phishing emails tailored to the victim’s business context.
During this phase, cybercriminals also researched tools and methods to optimize their campaigns. For example, Microsoft observed RedVDS customers experimenting with Microsoft Power Automate to attempt to automate the delivery of phishing emails directly from Excel files containing personal attachments. These attempts were unsuccessful, but their exploration of automation tools showed a clear intent to streamline delivery workflows and scale their attacks.
Resource development and delivery
Next, RedVDS operators developed their phishing capabilities by transforming its permissive virtual servers into a full operational infrastructure. They did this by purchasing phishing-as-a-service (PhaaS) infrastructure or manually assembling their own tooling, including installing and configuring phishing kits, using mass mailer tools, email address harvesters, and evasion capabilities, such as VPNs and remote desktop tools. Operators then built automation pipelines by writing scripts to import target lists, generating PDF or HTML lure attachments, and automating sending cycles to support high-volume delivery. While RedVDS itself only provided permissive VDS hosting, operators deployed their own automation tooling on these servers to enable large-scale phishing email delivery.
Once their tooling is in place, operators began staging their phishing infrastructure by registering domains that often masqueraded as legitimate domains, setting up phishing pages and credential collectors, and testing the end-to-end delivery before launching their attacks.
Account compromise
RedVDS operators gained initial access through successful phishing attacks. Targets received phishing emails crafted to appear legitimate. When a recipient clicked the malicious link or opened the lure, they are redirected to a phishing page that mimicked a trusted sign-in portal. Here, credentials are harvested, and in some cases, cybercriminals triggered multifactor authentication (MFA) prompts that victims approved, granting full access to accounts.
Credential theft and mailbox takeover
Once credentials were captured through phishing, RedVDS facilitated the extraction and storage of replay tokens or session cookies. These artifacts allowed cybercriminals to bypass MFA and maintain persistent access without triggering additional verification, streamlining account takeover.
With valid credentials or tokens, cybercriminals signed in to the compromised mailbox. They searched for financial conversations, pending invoices, and supplier details, copying relevant emails to prepare for impersonation and fraud. This stage often included monitoring ongoing threads to identify the most opportune moment to intervene.
Impersonation infrastructure development
Building on the initial RedVDS footprint, operators expanded their infrastructure to large-volume phishing and impersonation activity. A critical component of this phase was the registration and deployment of homoglyph domains, lookalike domains crafted to mimic legitimate supplier or business partners with near-indistinguishable character substitutions. During the investigation, Microsoft uncovered over 7,300 IP addresses linked to RedVDS infrastructure that collectively hosted more than 3,700 homoglyph domains within a 30-day period.
Using these domains, operators created impersonation mailboxes and inserted themselves into ongoing email threads, effectively hijacking trusted communications channels. This combination of homoglyph domain infrastructure, mailbox impersonation, and thread hijacking formed the backbone of highly convincing BEC operations and enabled seamless social engineering that pressured victims into completing fraudulent financial transactions.
Social engineering
Using the impersonation setup, cybercriminals further injected themselves into legitimate conversations with suppliers or internal finance teams. They sent payment change requests or fraudulent invoices, leveraging urgency and trust to manipulate targets into transferring funds. For example, Microsoft Threat Intelligence observed multiple actors, including Storm-0259, using RedVDS to deliver fake unpaid invoices to businesses that directed the recipient to make a same day payment to resolve the debt. The email included PDF attachments of the fake invoice, banking details to make the payment, and contact details of the impersonator.
Payment fraud
Finally, the victim processed the fraudulent payment, transferring funds to an attacker-controlled mule account. These accounts were often part of a larger laundering network, making recovery difficult.
Common attacks using RedVDS infrastructure
Mass phishing: In most cases, Microsoft observed RedVDS customers using RedVDS as primary infrastructure to conduct mass phishing. Prior to sending out emails, cybercriminals linked to RedVDS infrastructure abused Microsoft 365 services to register fake tenants posing as legitimate local businesses or organizations. These cybercriminals also installed additional legitimate applications on RedVDS server, including Brave browser, likely to mask browsing activity; Telegram Desktop, Signal Desktop, and AnyTime Desktop to facilitate their operations; as well as mass mailer tools such as SuperMailer, UltraMailer, and BlueMail.
Password spray: Microsoft observed actors conducting password spray attacks using RedVDS infrastructure to gain initial access to target systems.
Spoofed phishing attacks: Microsoft has observed actors using RedVDS infrastructure to send phishing messages that appear as internally sent email communications by spoofing the organizations’ domains. Threat actors exploit complex routing scenarios and misconfigured spoof protections to carry out these email campaigns, with RedVDS providing the means to send the phishing emails in majority of cases. This phishing attack vector does not affect customers whose Microsoft Exchange mail exchanger (MX) records point to Office 365; these tenants are protected by native built-in spoofing detections.
Lures used in these attacks are themed around voicemails, shared documents, communications from human resources (HR) departments, password resets or expirations, and others, leading to credential phishing. Microsoft has also observed a campaign leveraging this vector to conduct financial scams against organizations, attempting to trick them into paying false invoices to fraudulently created banking accounts. Phishing messages sent through this method might seem like internal communications, making them more effective. Compromised credentials could result in data theft, business email compromise, or financial loss, all requiring significant remediation.
Business email compromise/Account takeover: Microsoft observed RedVDS customers using the infrastructure to conduct BEC attacks that included account takeovers of organizations or businesses. In several cases, these actors also created homoglyph domains to appear legitimate in payment fraud operations. During email takeover operations, RedVDS customers used compromised accounts in BEC operations to conduct follow-on activity. In addition to mass mailers, these cybercriminals signed in to user mailboxes and used those accounts to conduct lateral movement within the targeted organization’s environment and look for other possible users or contacts, allowing them to conduct reconnaissance and craft more convincing phishing emails. Following successful account compromise, the cybercriminals often created an invitation lure and uploaded it to the victim’s SharePoint. In these cases, Microsoft observed the cybercriminals exfiltrating financial data, namely banking information from the same organizations that were impersonated in addition to mass downloading of invoices, and credential theft.
Defending against RedVDS-related operations
RedVDS is an infrastructure provider that facilitated criminal activity, and it is not by itself a malware tool that deploys malicious code. This activity is not exclusively abusing Microsoft services but likely other providers as well.
While Microsoft notes that the organizations at most risk for RedVDS-related operations are legal, construction, manufacturing, real estate, healthcare, and education, the activity conducted by malicious actors using RedVDS are common attacks that could affect any business or consumers, especially with an established relationship where high volume of transactions are exchanged.
The overwhelming majority of RedVDS-related activity comprises social engineering, phishing operations, and business email compromise. Microsoft recommends the following recommendations to mitigate the impact of RedVDS-related threats.
Preventing phishing attacks
Defending against phishing attacks begins at the primary gateways: email and other communication platforms.
Review our recommended settings for Exchange Online Protection and Microsoft Defender for Office 365 to ensure your organization has established essential defenses and knows how to monitor and respond to threat activity.
Invest in user awareness training and phishing simulations. Attack simulation training in Microsoft Defender for Office 365, which also includes simulating phishing messages in Microsoft Teams, is one approach to running realistic attack scenarios in your organization.
Configure the Microsoft Defender for Office 365 Safe Links policy to apply to internal recipients.
Hardening credentials and cloud identities is also necessary to defend against phishing attacks, which seek to gain valid credentials and access tokens. As an initial step, use passwordless solutions like passkeys and implement MFA throughout your environment:
Organizations can mitigate BEC risks by focusing on key defense measures, such as implementing comprehensive social engineering training for employees and enhancing awareness of phishing tactics. Educating users about identifying and reporting suspicious emails is critical. Essential technical measures include securing device services, including email settings through services like Microsoft Defender XDR, enabling MFA, and promoting strong password protection. Additionally, using secure payment platforms and tightening controls around financial processes can help reduce risks related to fraudulent transactions. Collectively, these proactive measures strengthen defenses against BEC attacks.
Ensure that admin and user accounts are distinct by using Privileged Identity Management or dedicated accounts for privileged tasks, limiting overprivileged permissions. Adaptive Protection can automatically apply strict security controls on high-risk users, minimizing the impact of potential data security incidents.
Avoid opening emails, attachments, and links from suspicious sources. Verify sender identities before interacting with any links or attachments. In most RedVDS-related BEC cases, once the actor took over an email account, the victim’s inbox was studied and used to learn about existing relationships with other vendors or contacts, making this step extra crucial. Educate employees on data security best practices through regular training on phishing indicators, domain mismatches, and other BEC red flags. Leverage Microsoft curated resources and training and deploy phishing risk-reduction tool to conduct simulations and targeted education. Encourage users to browse securely with Microsoft Edge or other SmartScreen-enabled browsers to block malicious websites, including phishing domains.
Enforcing robust email security settings is critical for preventing spoofing, impersonation, and account compromise, which are key tactics in BEC attacks. Most domains sending mail to Office 365 lack valid DMARC enforcement, making them susceptible to spoofing. Microsoft 365 and Exchange Online Protection (EOP) mitigate this risk by detecting forged “From” headers to block spoofed emails and prevent credential theft. Spoof intelligence, enabled by default, adds an extra layer of security by identifying spoofed senders.
Microsoft Defender XDR detections
Microsoft Defender XDR detects a wide variety of post-compromise activity leveraging the RedVDS service, including:
Possible BEC-related inbox rule (Microsoft Defender for Cloud apps)
Compromised user account in a recognized attack pattern (Microsoft Defender XDR)
Risky sign in attempt following a possible phishing campaign (Microsoft Defender for Office 365)
Risky sign-in attempt following access to malicious phishing email (Microsoft Defender for Cloud Apps)
Suspicious AnyDesk installation (Microsoft Defender for Endpoint)
Password spraying (Microsoft Defender for Endpoint)
Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against threats. Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Threat intelligence reports
Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
Indicators of compromise
The following table lists the domain variants belonging to RedVDS provider.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Today, Microsoftis announcing a coordinated legal action in the United States and, for the first time, the United Kingdom to disrupt RedVDS, a global cybercrime subscription service fueling millions in fraud losses. These efforts are part of a broader joint operation with international law enforcement, including German authorities and Europol, which has allowed Microsoft and its partners to seize key malicious infrastructure and take the RedVDS marketplace offline, a major step toward dismantling the networks behind AI-enabled fraud, such as real estate scams.
For as little as US$24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable, and difficult to trace. Services like these have quietly become a driving force behind today’s surge in cyber‑enabled crime, powering attacks that harm individuals, businesses, and communities worldwide.Since March 2025,RedVDS‑enabled activity has driven roughly US$40 millionin reported fraud losses in the United States alone. Among the victims is H2-Pharma, an Alabama‑based pharmaceutical company that lost more than $7.3 million—money supposed to be used to sustain lifesaving cancer treatments, mental health medications, and children’s allergy drugs for patients across the country. In a separate case, the Gatehouse Dock Condominium Association in Florida was tricked out of nearly $500,000—funds contributed by residents and property owners for essential repairs. Both organizations are joining Microsoft as co‑plaintiffs in this civil action.
But these cases represent only a fraction of the harm. Fraud and scams frequently go unreported, victims are global, and cybercriminals routinely pivot across platforms and service providers. For the individual, fraud has lasting effects that extend beyond financial loss to emotional wellbeing, health, relationships, and long-term stability. As a result, the true toll of RedVDS‑enabled activity is far higher than the roughly US $40 million Microsoft can directly observe.
What RedVDS is—and why it matters
RedVDS is an online subscription service that is part of the growing cybercrime-as-a-service ecosystem where cybercriminals buy and sell services and tools to launch attacks at scale. It provides access to cheap, effective, and disposable virtual computers running unlicensed software, including Windows, allowing criminals to operate quickly, anonymously, and across borders.
A screenshot of RedVDS’s user dashboard, including a loyalty program and referral bonuses for customers.
Cybercriminals use RedVDS for a wide range of activities, including sending high‑volume phishing emails, hosting scam infrastructure, and facilitating fraud schemes. RedVDS is frequently paired with generative AI tools that help identify high‑value targets faster and generate more realistic, multimedia message email threads that mimic legitimate correspondences. In hundreds of cases, Microsoft observed attackers further augment their deception by leveraging face-swapping, video manipulation, and voice cloning AI tools to impersonate individuals and deceive victims.
In just one month, more than 2,600 distinct RedVDS virtual machines sent an average of one million phishing messages per day to Microsoft customers alone. While most were blocked or flagged as part of the 600 million cyberattacks Microsoft blocks per day, the sheer volume meant a small percentage may have succeeded in reaching the targets’ inboxes. Since September 2025, RedVDS‑enabled attacks have led to the compromise or fraudulent access of more than 191,000 organizations worldwide. These figures represent only a subset of the impacted accounts across all technology providers, illustrating how quickly this infrastructure increases the scale of cyberattacks.
Global density of compromised Microsoft email accounts using RedVDS from September 2025 through December 2025. The top five impacted countries are the United States, Canada, the United Kingdom, France, and India.
How RedVDS enables fraud
One of the most common ways RedVDS‑enabled attacks result in financial loss is through payment diversion fraud, also known as business email compromise, or “BEC.” In these schemes, attackers gain unauthorized access to email accounts, quietly monitor ongoing conversations, and wait for the right moment, such as an upcoming payment or wire transfer. At that point, they impersonate a trusted party and redirect funds, often moving the money within seconds. Both H2-Pharma and the Gatehouse Dock Condominium Association were targeted through sophisticated BEC schemes that exploited trust and timing.
BEC attack chain powered by RedVDS.
Sample impersonation email with fraudulent payment instructions.
RedVDS has also been heavily used to facilitate real estate payment diversion scams, one of the fastest‑growing forms of cyber‑enabled fraud. In these cases, attackers compromise the accounts of realtors, escrow agents, or title companies and send strategically timed emails with fraudulent payment instructions designed to divert closing funds, escrow payments, and other sizeable transactions. For families and first altogether. Microsoft has observed RedVDS‑enabled activity affecting more than 9,000 customers in the real estate sector alone, with particularly severe impact in countries such as Canada and Australia.
And the threat goes far beyond real estate. RedVDS‑enabled scams have hit construction, manufacturing, healthcare, logistics, education, legal services, and many other sectors—disrupting everything from production lines to patient .
A Global Response to a Global Threat
Cybercrime today is powered by shared infrastructure, which means disrupting individual attackers is not enough. Through this coordinated action, Microsoft has disrupted RedVDS’s operations, including seizing two domains that host the RedVDS marketplace and customer portal, while also laying the groundwork to identify the individuals behind them.
Microsoft’s legal actions are reinforced by close collaboration with law enforcement partners around the world, further disrupting the malicious operation. Germany’s Public Prosecutor’s Office Frankfurt am Main – Central Office for Combating Internet Crime (ZIT) and the German State Criminal Police Office Brandenburg have seized a critical server used to power RedVDS, effectively taking its central marketplace offline. At the same time and as part of this ongoing disruption, Microsoft is also working closely with international law enforcement, including Europol’s European Cybercrime Centre (EC3), to disrupt the broader network of servers and payment networks that supported RedVDS customers as part of the ongoing disruption.What people and organizations can do
We are deeply grateful to H2– -Pharma and the Gatehouse Dock Condominium Association for their willingness to come forward and share their experiences. Their cooperation, combined with Microsoft’s threat intelligence, made this action possible and will help protect future victims. Falling victim to a scam should never carry stigma. These attacks are executed by organized, professional criminal groups that intercept and manipulate legitimate communications between trusted parties.
Simple steps can significantly reduce risk, including slowing down and questioning urgency, calling points of contact back using numbers that are already known to you, verifying payment requests using additional contact information, enabling multifactor authentication, watching carefully for subtle changes in email addresses, keeping software up to date, and reporting suspicious activity to law enforcement. Every report helps dismantle networks like RedVDS and brings us closer to stopping cybercrime at scale.
Continuing a collective effort to disrupt cybercrime
This action against RedVDS builds on Microsoft’s ongoing efforts to disrupt fraud and scam infrastructure through legal and technical action, collaboration with law enforcement, and participation in global initiatives such as the National Cyber-Forensics and Training Alliance (NCFTA) and the Global Anti-Scam Alliance (GASA). It marks the 35th civil action targeting cybercrime infrastructure by Microsoft’s Digital Crimes Unit, underscoring a sustained strategy to go beyond individual takedowns and dismantle the services that criminals rely on to operate and scale.
As services like RedVDS continue to emerge, Microsoft will keep working with partners across sectors and borders to identify and disrupt the infrastructure behind cyber-enabled fraud, making it harder for criminals to profit and easier for people and organizations to stay safe online.
Sicarii is a newly observed RaaS operation that surfaced in late 2025 and has only published 1 claimed victim.
The group explicitly brands itself as Israeli/Jewish, using Hebrew language, historical symbols, and extremist right-wing ideological references not usually seen in financially-motivated ransomware operations.
Underground online activity associated with Sicarii is primarily conducted in Russian, including RaaS recruitment posts and forum engagement.
Hebrew content used by the group appears to be machine-translated or non-native and contains grammatical and semantic errors.
The group’s behavior and messaging diverge from established ransomware practices and raise the possibility of identity manipulation or influence-oriented signaling, rather than a real and mature criminal operation.
The ransomware performs an active geo-fencing check to prevent execution on Israeli systems, an unusual design choice that weakens plausible deniability.
The ransomware’s technical capabilities include data exfiltration, collecting system credentials and network information, check exploitation for Fortinet devices, and encrypt files using AES-GCM and the .sicarii extension.
Introduction
In December 2025, a previously unknown Ransomware-as-a-Service (RaaS) operation calling itself Sicarii began advertising its services across multiple underground platforms. The group’s name references the Sicarii, a 1st-century Jewish assassins group that opposed Roman rule in Judea. From its initial appearance, the Sicarii ransomware group distinguished itself through unusually explicit and persistent use of Israeli and Jewish symbolism in its branding, communications, and malware logic.
Figure 1 – Sicarii Ransomware logo featuring the phrase “The Sicarii Knife” in Hebrew text with the symbol of the Haganah (predecessor to the Israel Defense Forces).
Unlike most financially-motivated ransomware groups, Sicarii overtly claims Israeli or Jewish affiliation. Its visual branding incorporates Hebrew text and the emblem of the historical Jewish paramilitary organization Haganah, while its ransomware selectively avoids executing on systems identified as Israeli. The group further claims ideological motivation rooted in extremist Jewish groups, while simultaneously marketing the operation as profit-driven and offering financial incentives for attacks against Arab or Muslim states.
In this report, Check Point Research (CPR) examines Sicarii’s background and capabilities, outlines its technical characteristics, and highlights a series of anomalies and inconsistencies that complicate attribution and clear understanding who is behind this group. These indicators raise questions regarding the authenticity of the group’s claimed identity and suggest the possibility of performative or false-flag behavior rather than genuine national or ideological alignment.
Technical analysis
While the exact initial access path is still unclear, communications with the group suggest the operator is likely purchasing access to the targeted organizations and not necessarily exploiting them directly.
The ransomware execution begins with an Anti-VM phase that tries to determine whether the malware is running in a real victim environment or inside a sandbox. It performs several environment checks, including virtualization detection. If it concludes it is executing inside a VM, it stops early and displays a decoy MessageBox error: "DirectX failed to initialize memory during runtime, exiting". Next, it enforces single-instance execution by creating a mutex and exiting if the mutex already exists. The ransomware then copies itself to the Temp directory with a random name in the format svchost_{random}.exe
The ransomware tests for Internet connection by attempting to contact the following url 120 times: google.com/generate_204
Figure 2 – Check for internet connection.
After checking connectivity, the ransomware determines if the victim is Israeli by checking:
Is the time zone set to Israel
Does the keyboard layout include Hebrew
Do any adapter IPs belongs to Israeli subnets
After establishing its execution context, the ransomware disables SafeBoot options and initiates broad collection of high-value data and files with predefined extensions list from Documents\Downloads\Desktop\VIdeos\Pictures\Music. While this activity supports double extortion, the harvested information may also be leveraged for lateral movement or follow-up attacks. The malware collects registry hives, system credentials, browser data, and some application data from platforms including Discord, Slack, Roblox, Telegram, Office, WhatsApp, Atomic Wallet and more. In addition, it attempts to dump LSASS to obtain further credentials. All collected data is packaged into a ZIP archive named collected_data.zip and exfiltrated to an external service via file.io.
Figure 3 – Staging the collected data in a ZIP archive.
Next, the malware performs network reconnaissance to better understand the victim’s environment. The malware enumerates the local network configuration, maps nearby hosts via ARP requests, and actively probes discovered systems. As part of this process, it scans for exposed RDP services and attempts to exploit Fortinet devices using CVE-2025-64446.
Figure 4 – CVE-2025-64446 exploitation code.
To maintain persistence, the malware uses several different mechanisms, favoring redundancy:
Registry Run key
Creating a service named WinDefender
Creating a new user SysAdmin with password Password123!
Creating a new AWS user, without any check if AWS is installed:
Figure 5 – Persistence via AWS.
Next, the malware checks if AV and VPN products are running. If so, it terminates their processes and sends to the C2 server the link to file.io which contains exfiltrated data file and victim information:
Figure 6 – Sending victim data to the attackers’ server.
Finally, after finishing reconnaissance, privilege handling, and data collection stages, the ransomware moves into the main impact phase: encryption. It iterates through common user directories such as Documents, Desktop, Music, Downloads, Pictures and Videos, and encrypts files in place using the BCryptEncrypt API. The .sicarii extension is appended to each encrypted file name:
The algorithm used is AES-GCM (256-bit key) via BCryptOpenAlgorithmProvider("AES", ..., "ChainingModeGCM").
A unique random AES key is used for each file and the encryption parameters (nonce and tag) are stored in an XOR-0xAA-encoded header.
The encrypted file is named <original_name>.sicarii and contains only a custom header plus ciphertext.
The original unencrypted file is deleted.
The ransomware drops its ransom note:
Figure 7 – Ransom Note.
As a final pressure mechanism, the malware deploys a destructive component intended to hinder system recovery and prolong operational downtime. The ransomware drops a destruct.bat script and registers it to execute at system startup. When triggered, the script corrupts critical bootloader files, leverages built-in Windows utilities such as cipher and diskpart to perform disk-wiping operations, and ultimately forces an immediate system shutdown.
Figure 8 – Destructive phase.
Intelligence Findings & Anomalies
Telegram Presence
The primary Sicarii operator uses the Telegram account @Skibcum, operating under the display name “Threat.” According to our analysis, the account was registered in November 2025, shortly before Sicarii’s initial appearance in underground forums and RaaS advertisements. This timing aligns closely with the group’s emergence and suggests the account was created specifically for this operation rather than part of a long-standing criminal persona.
The account’s profile image features a repurposed internet meme containing the phrase “Smile is a mitzvah” (the word “mitzvah” in Hebrew means “good deed”) alongside iconography associated with the banned Israeli extremist Kach organization.
Figure 9 – Threat’s Profile picture.
The account is active in several Telegram group chats associated with underground communities. These include Russian-language informal hacker and meme-oriented channels where the operator participates in casual conversation, exchanges stickers and GIFs, as well as chats unrelated to operational activity. The tone in public group chats is informal and at times impulsive, standing in contrast to the more deliberate and controlled tone adopted in private communications.
In all these communications, the operator demonstrates comfortable fluency in English and Russian, using colloquial phrasing, slang, and emotionally expressive language consistent with native or near-native proficiency. No comparable fluency is observed in the Hebrew language in any setting.
Direct Messaging and Signaling Behavior
In private communications, the operator posed as Sicarii’s communications lead and made several self-reported operational claims:
Victim Activity: Claimed that Sicarii compromised 3–6 victims within approximately one month, all of whom paid the ransom.
Targeting Strategy: Stated that the group focuses on small businesses, intentionally avoiding large enterprises and government entities to reduce scrutiny and pressure.
Negotiation Practices: Acknowledged routine negotiation and cited a single case in which a ransom demand was reduced to approximately USD 10,000 for an incident involving around five endpoints.
Comparative Positioning: Repeatedly compared Sicarii to established Russian ransomware groups such as LockBit and Qilin, while emphasizing that Sicarii is intentionally maintaining a lower profile “for now.”
On January 5, 2026, Sicarii published its first publicly listed victim, a Greece-based manufacturer. Shortly thereafter, Sicarii advertised downloadable exfiltrated data hosted on a public file-sharing service, but the file download links quickly expired. The operator described this victim as “just a test,” despite earlier assertions that multiple successful extortion cases had already occurred. This reframing introduces an internal inconsistency between prior claims of operational success and the treatment of the first disclosed victim.
Ideological Claims vs. Financial Motivation
Sicarii simultaneously frames itself as a profit-driven RaaS platform and an ideologically motivated actor inspired by extremist Jewish figures. Multiple conversations and advertisements emphasize that Sicarii prioritizes attacks against Arab or Muslim targets and explicitly volunteer “insider information” about their intention to next target a Saudi Arabian entity.
Figure 10 – Insider information offer.
This duality is inconsistent with observed ransomware ecosystems, where ideological messaging is typically minimized to avoid limiting affiliate recruitment and operational reach. The selective invocation of ideology, particularly when paired with commercial incentives, appears performative rather than doctrinal.
Figure 11 – Performative claim or ideological statement?
Performative Israeli Identity and Linguistic Inconsistencies
Although Sicarii group members present themselves as Israeli or Jewish, their use of Hebrew strongly suggests non-native language skills. Hebrew content on the group’s shame site contains misspellings, awkward phrasing, and literal translations of English idioms that do not exist in Hebrew. In private communications, the Telegram user claimed to personally handle only “frontend and communications,” while asserting other operators are Israeli and responsible for ransomware development and initial access operations. Using the same Telegram profile, the actor quickly reemerged as “Isaac” while producing Hebrew that appears to be machine-translated English and insisting they are Hebrew speakers even when challenged.
Figure 12 – An excerpt from the chat with the Sicarii operator, allegedly handing over their account to another operator, “Isaac”, who is Israeli.
In contrast, Sicarii’s activity on underground forums and Telegram channels is conducted fluently in Russian and English, including structured RaaS advertisements and informal interactions. This linguistic asymmetry indicates that English or Russian is actually the operator’s primary language.
Behavioral Indicators and OpSec Observations
The operator’s Telegram behavior displays several notable characteristics:
Low operational discipline, such as openly requesting “ransomware APKs” in public group chats rather than sourcing such information privately.
Identity play and inconsistency, including shifting self-descriptions and performative signaling toward ideological alignment without a clear strategic purpose.
This reinforces the impression of a relatively inexperienced actor navigating established underground ecosystems rather than a seasoned participant.
Visual Branding and Subcultural Overlap Image
The Telegram operator’s profile image and shared graphics reuse a modified internet meme featuring the phrase “Smile is a mitzvah” alongside symbols associated with the banned Israeli extremist organization Kach. The only variant of this image was identified within a looksmax forum, an online male-dominated subculture often characterized by extreme racism, misogyny, and anti-Semitic discourse.
The limited circulation of this image suggests it’s not a mainstream ideological representation. The forum user who shared this picture said he was a 15-year-old boy and participated in anti-Semitic forum threads.
VirusTotal Activity – Uploading Your Own Source Code & Terrorist Images
The majority of Sicarii-associated samples were submitted to VirusTotal by a single community account which uploaded approximately 250 files over the past several months. Most submissions correspond to apparent variants or loaders associated with the Sicarii ransomware.
Notably, the ransomware binaries were frequently uploaded under the generic filename Project3.exe, a naming convention consistent with testing, staging, or iterative development rather than finalized deployment artifacts.
In addition to compiled ransomware samples, the same VirusTotal account uploaded a source code file titledransomawre.cson October 25, 2025, predating Sicarii’s public emergence. This source code referenced the same Tor infrastructure later used by the Sicarii ransomware, suggesting early development or experimentation prior to operational deployment.
In addition to malware-related submissions, the same account also uploaded:
Unrelated suspicious files
Malware report-style documents
An image of Meir Kahane, founder of the extremist Kach organization
The convergence of ransomware testing artifacts, early-stage source code, and extremist ideological imagery within a single VirusTotal account is atypical for mature ransomware operations. Instead of reflecting a compartmentalized development pipeline or affiliate-driven ecosystem, this activity suggests personal experimentation or centralized control, reinforcing the impression of limited operational experience and informal tradecraft.
Explicit National Signaling and Deviation from Ransomware Norms
Established ransomware groups, particularly those operating from Russia or Eastern Europe, typically avoid overt national or ideological signaling to preserve plausible deniability and reduce geopolitical risk. Even well-documented Russian-linked groups such as Qilin or Cl0p refrain from explicit self-identification, despite consistently avoiding domestic targets.
Notably, Sicarii’s operators referenced Qilin and Cl0p in private communications, explicitly describing them as Russian groups that do not attack within Russia and stating that Sicarii follows the “same logic.” This comparison was used by the operator to justify both excluding Israeli victims and the group’s broader targeting posture.
Despite invoking this model, Sicarii diverges sharply from established ransomware norms by:
Advertising preferential rates for attacks against Arab or Muslim states.
Embedding Israeli geo-exclusion logic directly into its ransomware.
Publicly associating itself with extremist Jewish figures and symbols.
Whereas Eastern European ransomware groups rely on implicit understandings and silent geographic avoidance, Sicarii’s approach is unusually explicit and performative. Such behavior is not only unnecessary for a financially motivated RaaS but also invites avoidable exposure. All of this suggests either limited operational maturity or deliberate signaling beyond purely criminal objectives.
Historical Precedent for False-Flag Use of Jewish Identity
Previous campaigns attributed to Iranian-aligned or anti-Israeli actors, including Moses Staff and Abraham’s Ax, leveraged Jewish historical references and fabricated Israeli insider personas to conduct false-flag operations or influence campaigns.
While no direct technical linkage exists between Sicarii and these actors, the use of Jewish extremist symbolism, overt Israeli identity claims, and ideologically charged rhetoric mirrors known deception techniques employed in prior operations by anti-Israeli Middle Eastern actors.
Leak site
The Sicarii leak site is notably rudimentary, offering display options in both Hebrew and English. The Hebrew version is characterized by awkward phrasing and frequent misspellings, further indicating non-native authorship. In private communications, the operator stated that AI tools were used in the site’s development. Notably, the leak site was active for approximately one month before the first victim was published, a delay that is atypical for RaaS operations seeking rapid visibility and credibility.
Figure 13 -Sicarii onion website.
Conclusion & Assessment
Sicarii is a newly observed ransomware operation that combines a functional extortion capability with unusually explicit Israeli and Jewish branding. While the malware itself demonstrates credible ransomware functionality, the group’s behavior and presentation deviate from established ransomware norms.
On Telegram communications, underground forum activity, and public-facing infrastructure, Sicarii repeatedly asserts national and ideological identity in ways that provide no clear operational benefit. Although the operators compare themselves to Russian ransomware groups such as Qilin and Cl0p (arguing that those groups also avoid domestic targets), Sicarii departs from this model by making its alignment explicit and performative, weakening plausible deniability.
Linguistic analysis further undermines the group’s claims. Hebrew usage across the leak site and private communications is inconsistent and indicative of non-native authorship, while English and Russian are used fluently. Operationally, the group appears centralized and informal, with early-stage tooling, inconsistent victim narratives, and limited compartmentalization, suggesting experimentation rather than a mature RaaS ecosystem.
Taken together, these indicators suggest that Sicarii’s claimed Israeli or Jewish identity doesn’t necessarily reflect genuine ideological motives. Instead, the operation appears to leverage performative identity signaling layered onto an immature ransomware capability. Attribution remains inconclusive, but Sicarii’s self-description should not necessarily be taken at face value.
This article was originally published in the second edition of the InfoSec Survival Guide. Find it free online HERE or order your $1 physical copy on the Spearphish General Store. […]
Jordan Drysdale & Kent Ickler // TL;DR Look for links, download them. Look for GPOs, import them. Look for screenshots, for guidance. Sysmon + Windows Audit Policies + Event Collectors […]
Welcome to Issue #141 of Detection Engineering Weekly!
Every week, I read, watch and listen to all the Detection Engineering content so you can consume it all in 10 minutes. Subscribe and get a weekly digest of the latest and greatest in threat detection engineering!
✍️ Musings from the life of Zack:
It was a long but restful month away from you all! I can’t wait to get back into writing every week for y’all
🤝 I am accepting new sponsors for 2026! If you are interested in sponsoring the newsletter, shoot me an email at techy@detectionengineering.net. We are already almost halfway booked for Primary slots and now have Secondary slots so you have options!
I’ve started writing again for the Field Manual and I really love encapsulating my experience and knowledge into these posts. If you have ideas for Field Manual posts, comment below. I have my latest post below as the last story under State of the Art
This Week’s Primary Sponsor: Push Security
Want to learn how to respond to modern attacks that don’t touch the endpoint?
Modern attacks have evolved—most breaches today don’t start with malware or vulnerability exploitation. Instead, attackers are targeting business applications directly over the internet.
This means that the way security teams need to detect and respond has changed too.
Register for the latest webinar from Push Security on February 11 for an interactive, “choose-your-own-adventure” experience walking through modern IR scenarios, where your inputs will determine the course of our investigations.
For detection engineers, incident responders, and threat hunters who operate in a cloud-first environment, you probably heard developers in your organization talk about Kubernetes (k8s for short). It’s an extremely popular container orchestration framework that has been used as the de facto standard for controlling scaling, application isolation, and cost. Whether you have it in your environment or you’ve never worked with it, it’s important to note how important the security controls and detection opportunities work inside these environments, because it’s like an operating system of its own.
When Obeng first shared this research on a Slack server I was on, I was excited to read it because it’s truly a deep dive into Kubernetes security, as the title suggests. She started the blog by describing how unfamiliar this space was, and by the end, you could tell Obeng had become very familiar with detection and hunting scenarios in Kubernetes.
The blog starts with an introduction to k8s and breaks down the jargon, architecture, and nuances of how a Kubernetes environment operates. The most important thing I try to get folks to understand with k8s is that it’s separated into two detection planes. The control plane, as Obeng explains, “is the core of Kubernetes.” It helps control everything from scaling plans, what containers to run, permissions, and health checks.
The other plane, the data plane, is everything else. The hyperscalers describe this as the service’s core functionality. Since k8s’ functionality revolves around running containers, you could argue that it’s about each individual container and the isolation of those containers within k8s.
As you can see from the threat matrix, attacks along MITRE ATT&CK operate in both planes.
After giving this introduction, she jumps into several attack scenarios. But the start of this scenario section first describes her description of the k8s attack surface. This is my favorite part of the blog. Obeng outlines four major scenarios you’ll see in any k8s attack: pod weaknesses, identity and access mechanisms, cluster configuration, and control plane entry points. Notice these are focused on the control plane as the end goal. So, if you can compromise any part of the data plane, for the most part, the main goal is to attack the control plane afterward.
She ends the blog with close to 10 attack scenarios, detection rules using Falco, and a follow-up with her lab for folks who want more hands-on learning.
EDR blogs from independent researchers are hard to find. It’s not that the blogs are tucked away in dark corners of the Internet, instead, EDR researchers who don’t work at vendors are few and far between. So, anytime I get to see research that goes deep into the EDR space, I pay close attention.
This is especially true for the macOS world. Microsoft has years of security solutions and a litany of researchers who document all kinds of peculiar malware and EDR behavior. This is logical, since most major security incidents over the last 30 years have been on Windows platforms. But in the last few years, attackers have shifted their focus to macOS. The opaqueness-by-design of EDR vendors AND Apple makes it hard to learn about security internals on this platform.
This technical analysis by Olivia helps break down those barriers by first describing the ecosystem of opaqueness of macOS combined with security vendor technologies. From my understanding (and with lots of stupid questions from me to Olivia), rely on the extended security (ES) system, which is somewhat equivalent to Linux’s eBPF observability and security framework. Security vendors subscribe to security events, build detections over them, and implement EDR security response features, such as blocking a piece of malware from executing.
This has its limitations, and Olivia’s analysis under her “Technical Analysis” section points them out. It’s reminiscent of the early days of Microsoft security, when bypasses emerged from malware families, and it took a lot of effort for vendors and Microsoft to respond to them. The closed ecosystem has it’s advantages from a security controls perspective, but IMHO, it starts to do a disservice to organizations when attackers move faster than the controls you try to implement.
This post is an excellent follow-up to Abeng’s blog, which is under the Gem at the top of the newsletter!
Detection engineering is much more than building detection rules. There are elements of software engineering, data analysis, and threat research that separate a good detection engineer from a great one. I’ve talked about this across my publication, podcasts and conference talks. But, if you want a deep dive on the how to wear and implement these skillsets, Ved’s blog is a great resource to do so.
Ved defines cloud-native detections as any research, engineering and implementation of a detection rule to identify threat activity in cloud environments (AWS, Azure, GCP) and Kubernetes. He then describes his nine-phase (!) approach to writing detections, and opens each subsection with what “hat” you should be wearing.
The value of this post lies in the diligence put into each phase, especially in the use of real-world examples. They are bite-sized sections so that I wouldn’t be phased (ha!) out by the number. It serves more as a handbook for you to reference as you move through the detection lifecycle.
My favorite section is under Phase 4, titled “Enrichment and Context.” It ties nicely with my piece about context and complexity within rules, and according to Ved, it does require a Software Engineering Hat. Ved lists out five critical pieces of context to help increase the efficacy of rules:
Identity Context: who is this (human) or what is this (service-account).
Threat Intelligence: what IP addresses, domains, or general knowledge around indicators of compromise do we have to help make decisions on this activity?
Resource and asset metadata: What critical asset inventories, compliance tags or posture related information exists to help identify the riskiness of this asset being attacked?
Behavioral baselines: is this normal behavior for this type of activity? Think Administrator activity at 2am on Saturday.
Temporal context: Attacks aren’t point-in-time, they are over a period-of-time. Can you enrich this alert with other context of events before it occurred?
Ved finishes the rest of the post, writes a detection, tests it, follows it through deployment, and sees how useful the alert is. It looks like this is his first post on his Substack, so I recommend subscribing!
This is a fantastic commentary on what happens when the security community knows that a new technology is going to bring all kinds of security issues, even though the issues haven’t materialized yet. Saxe’s framing revolves around the growing attack surfaces around AI technologies. It’s hard to parse marketing-speak and LinkedIn ads and messages from startup founders and salespeople claiming that “the bad guys are already using AI at scale to attack you!!11” without much proof. Perhaps they reference a news article about some basic usage of vibecoding malware, or a phishing site that has an HTML comment of “created by Claude Code.”
Saxe has recommendations around what security functions and specific teams can do to help prepare for this, and I will steal his framing around making controls and policies “dialable”. Security should aim to be enablers rather than disablers for our engineering and technology counterparts. So, build controls in security engineering, and implement detection & response processes, but configure them in a way so you can “dial up” the strictness as we see new attacks emerge from real scenarios rather than theoretical ones.
Seth recently released a comprehensive library on privilege escalation scenarios and techniques abusing IAM in AWS environments. There are 65 total paths, and 27 of them are not covered by existing OSS tools to test coverage. That good news is that the website has the description of each attack and how to perform it, as well as a helpful graph visualization so you can see the traversal rather than try to create an image in your head.
📔 Field Manual
I wrote a Field Manual issue on Atomic Detection Rules over break! Please go check it out!
This blog is a comprehensive look back at Mac Malware incidents and research throughout 2025. Maybe I am showing my age, but if you told me 10 years ago that macOS’s popularity is going to explode in cybercriminal groups, leading to large scale compromises, I would laugh at you. Wardle lists out the top malware families, some associated incidents and blogs dissecting the malware, as well as walk through analysis of the malware using an open-source toolbox.
I’m a bit late on this one due to holidays and time off, but MongoDB recently disclosed a critical vulnerability dubbed “MongoBleed” under CVE-2025-14847. It allows an unauthenticated attacker to connect to a MongoDB instance and leak memory contents, which potentially contain sensitive information around data inside Mongo, authentication data and cryptographic data.
I’m impressed with the transparency and diligence in the post. MongoDB found the vulnerability internally, validated it, built a patch, notified customers and rolled out a post. A researcher at Elastic published a PoC two days later (on Christmas, no less) that I’ll link below.
n8n is an open-source workflow framework to build Agent-to-Agent systems. They recently disclosed two vulnerabilities, CVE-2026-21858 and CVE-2026-21877, a 9.9 and 10.0, respectively. n8n itself has skyrocketed in popularity primarily due to it’s ease of use for interfacing with Agentic workflows and platforms. The .1 difference is 21858’s arbitrary file read, which could allow reading secrets from a target system, and full remote code execution on 21877.
I really enjoyed the technical detail of this post by Attias, focused on the arbirary file read vulnerability. When you think of arbitrary file reads in a modern application stack like n8n, you can pull a lot more credentials that give you access besides dumping password files. Attias created a clever scenario on reading in arbitrary sessions and loading it into n8n’s knowledge base, allowing the extraction of the key from the chat interface itself.
Hands-on lab for testing security vulnerability knowledge against MCP servers. There are nine scenarios, and each one looks pretty reasonable in their real-world applicability. You’ll need Claude and python to run each one, and luckily with MCP, you can specify the singular Python file within the Claude config and get everything you need to get started.
Tailsnitch is a posture management tool for Tailscale configurations. You give it a Tailscale API key and it’ll connect to your tenant’s API and compare it’s configuration to secure baselines.
This is a nice example of what I think will be a normal detection and response engineer’s setup in the next few years. Your org will operate a repository with agent setups for technology like Claude code, and it’ll contain a standardized list of MCP servers to use and agent instructions. Making it extendable to tweak or add agents and MCP servers should be as easy as another prompt and some glue work for a custom MCP.
Every week, I read, watch and listen to all the Detection Engineering content so you can consume it all in 10 minutes. Subscribe and get a weekly digest of the latest and greatest in threat detection engineering!
Login
