3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Soldiers of Solomon

Soldiers of Solomon

ID: c10849ad18c502e24aa0deb1e72ea8d450069
Hacktivist Group Hacktivism
Threat types: Hacktivism, Intrusion
Iran ISR
Updated: 2026-03-21
Created: 2026-03-19
Progress: 92% Completeness: 93% Freshness: 90%
Operation zone: Israel
Aliases Limited alias preview
SoldiersOfSolomon
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Soldiers of Solomon is a pro-Iran, anti-Israel cyber persona publicly associated with CyberAv3ngers / Storm-0784. Public reporting suggests it functioned primarily as a hack-and-leak and influence-amplification brand rather than a clearly independent advanced intrusion group.


Technique Technique name Tactics Evidence
T1078.001 Default Accounts TA0001 TA0003 TA0004 TA0005
  • 2023-12-02 — Joint advisory states IRGC-linked actors likely compromised internet-exposed Unitronics PLCs using default passwords. INFERENCE (confidence: medium): Soldiers of Solomon, as a linked persona in the same cluster, likely relied on weak/default credential narratives or adjacent access paths when making related claims. · ref
T1491.001 Internal Defacement TA0040
  • 2023-11-26 — IRGC-linked cluster activity against Unitronics HMIs involved defacement messages on control interfaces. INFERENCE (confidence: medium): persona-linked impact narratives fit defacement-style interface messaging rather than covert-only operations. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2023-11-01 — Public claims against Flour Mills framed the event as harmful to the production cycle. INFERENCE (confidence: low-medium): if any operational impact occurred, it likely involved data or configuration manipulation affecting industrial processes or their interface layer. · ref
T0822 External Remote Services TA0108
  • 2024-05-30 — Microsoft described Storm-0784-associated activity against internet-exposed OT devices with Israeli affiliation. INFERENCE (confidence: medium): the persona’s operational storytelling relied on unauthorized interaction with HMI/device management layers. · ref
T0814 Denial of Service TA0107
  • 2023-11-07 — Claims regarding damaged production at an Israeli flour plant suggest possible service interruption in an industrial environment. INFERENCE (confidence: low): the persona may have sought to disrupt or appear to disrupt availability of industrial operations. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-22T01:24:51+00:00
Soldiers of Solomon

Classification: TLP:WHITE — Cyber / Hybrid Hacktivist Persona / Suspected State-Linked Proxy Brand

Author: iQBlack CTI Team


Executive Summary

Soldiers of Solomon is best assessed as a pro-Palestinian, pro-Iran cyber persona publicly associated with the broader CyberAv3ngers / Storm-0784 ecosystem rather than a clearly independent threat actor. Public reporting links the brand to Iran’s Islamic Revolutionary Guard Corps (IRGC)-aligned operations targeting Israeli interests during and after the opening phase of the Israel–Hamas war in October 2023.


The persona’s activity pattern centers on hack-and-leak claims, webcam and server compromise claims, industrial/distribution-themed disruption narratives, and aggressive propaganda amplification. Several public claims were later assessed as exaggerated, misleading, or demonstrably false, especially the claim that the actor had ransomed systems at Nevatim Air Force Base. This matters analytically because the persona appears designed not only to announce attacks but to amplify psychological pressure and create the perception of deeper compromise against Israeli infrastructure.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Soldiers of Solomon

Classification: TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Soldiers of Solomon

Priority: Medium-High for Israeli-affiliated organizations and operators of exposed cameras, HMIs, PLC-linked interfaces, and smart-facility systems.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-19T21:56:03+00:00

IOC Appendix — Soldiers of Solomon

Scope & Caveats. This appendix is intentionally conservative. Public reporting around Soldiers of Solomon contains a high proportion of claim-driven material, and several headline claims were later assessed as false or exaggerated. Indicators below should therefore be treated primarily as hunting and context-enrichment artifacts, not as universal blocking rules.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-19T21:56:26+00:00

OSINT Library — Soldiers of Solomon


2023-11-07 — Security Affairs — “Pro-Palestinian hackers group 'Soldiers of Solomon' disrupted the production cycle of the biggest flour production plant in Israel”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/4
Address Verification SOCMINT
twitter.com/Sol************ Restricted Not integrated
Address Verification SOCMINT
t.me/Sol************** Restricted Not integrated
Address Verification SOCMINT
TOX**** Restricted Not integrated
69D************************************************************************* Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–4 of 4 images
Soldiers of Solomon relation with Crucio Ransomware Free Preview
Soldiers of Solomon relation with Crucio Ransomware
Statement Free Preview
Statement
Logo Free Preview
Logo
Banner Free Preview
Banner