3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Mr Soul

Mr Soul

ID: 1f5fd004e2bc3bbfb90dfe63b705316398875
Cybercrime Cybercriminal Hacktivist State-Sponsored
Threat types: Hacktivism, Intrusion, State-linked
Iran ISR
Updated: 2026-03-21
Created: 2026-03-19
Progress: 87% Completeness: 85% Freshness: 90%
Operation zone: Israel
Aliases Limited alias preview
Mr_S0ull Mr. Soll Mr******
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Mr Soul is an online persona associated with the CyberAv3ngers ecosystem and publicly linked to IRGC-CEC-aligned malicious cyber activity against critical infrastructure. The persona is best assessed as a propaganda/coordination/operations-facing identity inside a wider OT/ICS targeting cluster rather than as a clearly independent actor.


Technique Technique name Tactics Evidence
T1078.001 Default Accounts TA0001 TA0003 TA0004 TA0005
  • 2023-12-01 — Joint advisory documented abuse of default passwords on Unitronics devices exposed to the internet. · ref
  • 2025-06-16 — RFJ states CyberAv3ngers compromised default credentials on Unitronics PLCs and left anti-Israel messages on device screens. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-06-16 — RFJ description implies use of legitimate device/admin access after weak authentication compromise. · ref
T1491.001 Internal Defacement TA0040
  • 2023-12-01 — Joint advisory describes posting anti-Israel images/messages on Unitronics PLC/HMI screens. · ref
  • 2025-06-16 — RFJ quotes the message left on compromised devices: 'You have been hacked, down with Israel...'. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2023-12-01 — Unauthorized changes to device display/project content map to stored data manipulation in an enterprise ATT&CK context. · ref
T1095 Non-Application Layer Protocol TA0011
  • 2024-12-10 — Claroty documented IOCONTROL using MQTT for command-and-control communication with compromised OT/IoT devices. · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-12-10 — INFERENCE (confidence: medium): IOCONTROL deployment on Linux-based OT/IoT assets implies payload delivery after initial access. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2023-11-29 — INFERENCE (confidence: medium): Check Point reporting stated Mr_S0ull focused on exploiting internet-facing devices and Microsoft Exchange vulnerabilities. · ref
  • 2023-11-29 — CyberScoop reporting on recruitment around the Mr. Soul channel supports an exposure-driven intrusion model rather than victim-initiated access. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-19T22:26:08+00:00

Mr Soul / Mr_S0ull / Mr. Soul — IRGC-linked CyberAv3ngers Online Persona

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Category: Cyber / State-linked Online Persona — Origin: Iran

Author: iQBlack CTI Team


Executive Summary

Mr Soul (also rendered publicly as Mr_S0ull or Mr. Soul, and in some reporting as Mr. Soll) is best assessed as an online persona associated with the CyberAv3ngers ecosystem, rather than a fully separate threat group with a clearly documented independent operational stack. Public U.S. government reporting links the persona to CyberAv3ngers malicious cyber activity against critical infrastructure and places that activity within the orbit of Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).


The persona matters because it appears to sit at the intersection of operations, propaganda, and mobilization. Public reporting and public-sector notices tie CyberAv3ngers to compromises of exposed Unitronics PLC/HMI devices, anti-Israel defacement messaging, and later IOCONTROL-linked targeting of wider OT/IoT infrastructure. In parallel, third-party reporting described a separate “Mr Soul” Telegram channel used for recruiting or coordinating volunteer assistance, suggesting that the persona may have served as a front-facing operator or coordinator identity within the wider campaign structure.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Mr Soul


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Mr Soul (CyberAv3ng3rs-related persona)

Priority: HIGH for water, wastewater, fuel management, manufacturing, energy, and other organizations operating internet-exposed OT/ICS assets or Israeli-/globally deployed vendor products named in CyberAv3ngers reporting. MEDIUM for enterprises whose exposure to the actor is indirect but whose internet-facing infrastructure could be used as a pivot into OT/IoT environments.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-19T22:28:14+00:00

IOC Appendix — Mr Soul (CyberAv3ng3rs-related persona)

Scope & Caveats. This appendix reflects the best open-source picture available for the Mr Soul persona as of 2026-03-19T00:00:00Z. Public reporting most strongly supports using this appendix as a cluster-aware hunting aid for the CyberAv3ngers / IRGC-CEC ecosystem rather than as a standalone blocklist for one handle. Indicators below are therefore separated into high-confidence cluster-linked itemshunting-only patterns, and pseudo-IOCs / behavioral seeds. Where an item is based on broader CyberAv3ngers activity rather than uniquely on Mr Soul, that is stated explicitly.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-19T22:28:27+00:00

OSINT Library — Mr Soul


2025-06-16 — Rewards for Justice — “CyberAv3ngers”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/1
Address Verification SOCMINT
t.me/+0_************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.