Soldiers of Solomon
Soldiers of Solomon is an Iran-linked cyber persona/group associated with the Islamic Revolutionary Guard Corps (IRGC) ecosystem. The content describes it as connected to CyberAv3ngers and other IRGC-linked personas, and Microsoft reporting cited in the content says Storm-784 runs personas including Cyber Avengers and Soldiers of Solomon. It is part of a broader set of Iran-aligned hacktivist or proxy groups used for cyber-enabled influence operations and plausible deniability. The group/persona has been used on Telegram and X/Twitter to claim attacks against Israeli military and critical infrastructure. The content states that in at least one case, Soldiers of Solomon was a persona adopted by Iranians on Telegram to make claims about attacking Israeli military infrastructure; Microsoft assessed they were able to carry out a ransomware attack, but that their claims about the precision and impact of the operation were overstated. This aligns with the broader pattern described in the content of Iranian operations pairing real but often limited cyber activity with information operations intended to exaggerate impact, create confusion, and amplify psychological effects. Known associations and aliases directly mentioned in the content are limited to the name Soldiers of Solomon itself, plus its linkage to CyberAv3ngers/Cyber Avengers and Microsoft-tracked Storm-784. The content does not provide additional confirmed sub-groups or distinct aliases beyond those associations.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Utilities
- Energy
- Transportation
- Health Care Equipment & Services
- Food, Beverage & Tobacco
Where they target
Geographies tied to known operations.
- 🇺🇸 United States
- 🇮🇱 Israel
- 🇬🇧 United Kingdom
Where they're from
Attributed origin per open-source reporting.
- IR
Tradecraft
6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated IRGC-linked persona mentioned as sharing TTPs and infrastructure with CyberAv3ngers in campaigns against critical infrastructure.
Named hacktivist/proxy group referenced as part of Iran’s broader ecosystem; expected to contribute to increased disruptive activity and narrative signaling.
Persona attributed by Microsoft to the same operator as Cyber Avengers (Storm-0784), focused on compromising IoT/ICS-related devices (e.g., security cameras) and using leaks/claims to intimidate and shape perceptions; includes exaggerated claims (e.g., alleged IAF base camera compromise).
An Iran-linked persona/group name used for information operations on Telegram, claiming attacks (including against Israeli military/critical infrastructure); described as having conducted ransomware but overstating precision and impact.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.