3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Crucio

Crucio

ID: 7c315ae04cc0a2b782796bd39b7fe96e83203
Crimeware Ransomware
Threat types: Ransomware, Intrusion
Iran ISR
Updated: 2026-03-19
Created: 2026-03-19
Progress: 82% Completeness: 78% Freshness: 90%
Operation zone: Israel
Aliases Limited alias preview
Crucio Ransomware CrucioRansomware
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Crucio is a sparsely documented ransomware label publicly associated with Soldiers of Solomon and the broader CyberAv3ngers / IRGC-linked ecosystem. Public evidence supports the name, a small set of suspected indicators, and its use inside propaganda-heavy claims targeting Israeli interests, but does not support treating it as a mature standalone criminal ransomware family.


Technique Technique name Tactics Evidence
T1486 Data Encrypted for Impact TA0040
  • 2023-10-18 — Soldiers of Solomon publicly claimed they 'ransomed' Israeli targets using customized Crucio ransomware. The claim itself supports ransomware-for-impact mapping, though broader campaign details were disputed. · ref
  • 2023-12-01 — Official advisory states the CyberAv3ngers-linked Soldiers of Solomon claimed to use a ransomware named Crucio against servers where webcam software operated on port 7001. · ref
T1566 Phishing TA0001
  • 2026-03-19 — INFERENCE (confidence: low): No direct public evidence ties Crucio to phishing delivery. This technique should not be treated as observed for Crucio absent new source material. · ref
T1110 Brute Force TA0006
  • 2023-12-01 — INFERENCE (confidence: low-medium): The parent CyberAv3ngers ecosystem used weak/default authentication against exposed Unitronics devices. If Crucio was deployed within the same ecosystem, brute-force or password abuse may have enabled access in adjacent operations; however this is not directly proven for Crucio itself. · ref
T1078.001 Default Accounts TA0001 TA0003 TA0004 TA0005
  • 2023-12-01 — INFERENCE (confidence: low-medium): Default-account abuse is well documented for CyberAv3ngers operations. It is reasonable to model this as a possible enabling condition for Crucio-related activity only at the ecosystem level, not as direct sample-specific proof. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-19T22:34:21+00:00
Crucio Ransomware — Cyber / Ransomware-like payload / Iran-linked influence-adjacent tooling

Classification: TLP:WHITE | Author: iQBlack CTI Team



Executive Summary

Crucio is a purported ransomware family publicly associated with the Soldiers of Solomon persona and, by extension, with the broader CyberAv3ngers / IRGC-linked influence-and-disruption ecosystem. Public reporting around Crucio is unusually thin and should be treated with caution: the name appears mainly in October 2023 claim-posts tied to alleged compromise of Israeli servers, cameras, and smart-city management systems, and later in government or vendor reporting that explicitly notes that many of the surrounding claims were exaggerated or false.


That limitation matters analytically. Crucio should not currently be modeled as a mature, independently documented ransomware operation on the same footing as well-studied criminal RaaS families. Instead, it is better assessed as a claimed or sparsely observed ransomware component inside a broader campaign of coercive messaging, hack-and-leak theatrics, and state-aligned psychological pressure. The strongest public evidence is not a full reverse-engineering corpus, but rather a combination of government advisory references, a small set of suspected IOCs, and third-party reporting that treats Crucio as part of the Soldiers of Solomon narrative during the early Israel–Hamas conflict period.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Crucio RansomwareClassification: TLP:WHITEWhat it isCrucio is a purported ransomware capability associated with the Soldiers of Solomon persona and, indirectly, with the broader CyberAv3ngers / IRGC-linked ecosystem. Public reporting confirms the name, a small set of suspected IOCs, and its use in October 2023 coercive claims against Israeli targets. Public reporting also makes clear that many of the surrounding claims were false or exa

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Crucio RansomwarePriority: MediumObjective: Detect evidence of Crucio-linked payload execution, suspected supporting infrastructure, and overlap with Soldiers of Solomon / CyberAv3ngers-style compromise patterns in server, camera-management, and OT-adjacent environments.Hunt 1 — Suspected Crucio file-hash sightingsGoal: Identify any endpoint, malware repository, sandbox, or retro-hunt match for the publicly cited suspected Crucio hashes.Scope: EDR, malware

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-19T22:36:10+00:00

1. Scope & Caveats

This appendix reflects the limited open-source evidence currently available for Crucio. The most reliable public artifacts come from the December 2023 joint advisory on IRGC-affiliated cyber actors and later secondary reporting that reproduced those suspected indicators. Several surrounding campaign claims were proven false or exaggerated, so these indicators should be treated primarily as hunting seeds rather than as high-confidence actor-exclusive blocklists.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-19T22:36:24+00:00

OSINT Library — Crucio Ransomware


2023-11-17 — SentinelOne — “Hacktivism in the Israel-Hamas Conflict | Citizen Data Leaked Using Old Malware”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.