Author: CRIMSON7 Security Operations
Date: June 19, 2026
Version: 1.0
Classification: TLP
Active Extortion Campaign - Icarus Threat Actor The Icarus extortion group compromised Klue's SaaS integration layer in June 2026, stealing OAuth tokens that granted direct access to downstream Salesforce CRM environments across multiple victim organizations. CRM data was exfiltrated via automated Python scripts; extortion emails were then delivered from compromised Australian retail infrastructure. Revoke all Klue OAuth grants immediately and audit Salesforce API logs for
Python-urllib/3.12User-Agent activity.
Table of Contents
- Attack Overview
- Initial Incident
- Local Evidence
- OSINT & Infrastructure Investigation
- Indicators of Compromise
- MITRE ATT&CK Mapping
- Incident Timeline
- Key Takeaways
- Attribution & Threat Actor Context
- References & Sources
1. Attack Overview
What Happened
In June 2026, the Icarus extortion group exploited a dormant, forgotten service account within Klue - a competitive intelligence SaaS platform - to push a malicious update to Klue's integration layer. This update harvested OAuth tokens belonging to Klue's customers, which Icarus then used to directly query Salesforce REST APIs at each victim organization. Automated Python scripts extracted CRM data over a roughly 24-hour window before Klue detected and contained the activity. Victims were subsequently contacted with extortion demands, with stolen data staged on gofile.io as proof. The extortion emails arrived from three compromised Australian retail domains sharing the same infrastructure stack.
Attack Chain
Step 1 - Initial Access: Dormant Service Account Compromise (T1199) Icarus obtains credentials for a Klue service account that was created to test a third-party integration that was never deployed. The account was never decommissioned. Klue has not disclosed how the credential was obtained.
Step 2 - Execution: Malicious Code Update Pushed to Integration Layer Using the service account, Icarus deploys a malicious update to Klue's integration layer - the component that brokers connections between Klue's platform and its customers' external SaaS environments including Salesforce.
Step 3 - Credential Access: OAuth Token Harvest (T1550.001) The malicious code intercepts and extracts OAuth access tokens belonging to Klue's customers as they pass through the integration layer. OAuth tokens grant persistent, MFA-bypassing API access to the connected Salesforce instances.
Step 4 - Discovery: Salesforce Object Catalog Enumeration (T1087, T1580)
For each victim, automated Python scripts call GET /services/data/v59.0/sobjects to enumerate all available CRM object types - mapping what data exists before deciding what to steal.
Step 5 - Collection: Bulk CRM Data Extraction via QueryMore Pagination (T1213.003, T1074.002)
Scripts systematically extract CRM records via GET /services/data/v59.0/query with QueryMore cursor pagination, pulling datasets page-by-page until exhausted. Cadence varied by victim: one saw ~1,000 queries in 15 minutes; others showed slower 6-hour patterns.
Step 6 - Exfiltration: Stolen Data Staged on gofile.io (T1567) Samples of stolen CRM data are staged on the public file-sharing service gofile.io for use as extortion proof material in subsequent communications with victims.
Step 7 - Impact: Extortion via Compromised Australian Retail Domains (T1657) Extortion emails are sent from three compromised Australian retail domains sharing a common managed infrastructure layer, signed by alias "mr bean" with a Session Messenger contact ID. Victim data was posted to an Icarus dark web leak site. (Sender domains identified by Huntress in their first-party disclosure — see IOC table.)
Impact Assessment
- CRM Data Exposure - Contacts, deal records, pricing, quote data, sales communications, and competitive intelligence exfiltrated from affected Salesforce orgs.
- Active Extortion - Multiple organizations received demands. Icarus dark web leak site showed at least one victim delisted at time of writing, suggesting negotiations were in progress.
- Platform-Wide Response - Salesforce disabled the Klue Battlecards integration platform-wide on June 17, 2026.
- Scope Boundary - Passwords, payment cards, threat intelligence feeds, customer telemetry, and engineering systems were not targeted or exfiltrated.
2. Initial Incident
This one started with a vendor notification, which is always a slightly awkward way to find out your data has been touched. On June 17, 2026, Recorded Future published a public advisory disclosing that their Salesforce environment had been accessed without authorization - not through Recorded Future's own systems, but through Klue, a competitive intelligence platform they use as a third-party SaaS integration.
The advisory was unusually candid: Klue's integration layer had been compromised, OAuth tokens connecting customer Salesforce instances to Klue had been stolen, and an automated Python script had spent roughly 24 hours quietly querying CRM data through legitimate API channels. Recorded Future confirmed they were an incidental victim, not a targeted one. That phrase - incidental victim - is doing a lot of work here, and we'll come back to it.
The same day, Huntress published their own disclosure. They too were a Klue customer. They too had data stolen. And unlike most breach disclosures, Huntress shared the forensic artifacts they found: the exact API endpoints queried, the User-Agent string, the IP addresses, and the extortion email infrastructure. That level of transparency is rare and genuinely useful to the community, so much of the external analysis in this report draws on their work.
Note on scope: This investigation draws exclusively on public disclosures (Recorded Future, Huntress, ReliaQuest, Obsidian Security, BleepingComputer) and open-source threat intelligence enrichment. No systems were modified, disrupted, or accessed beyond standard read-only OSINT queries against public threat intelligence platforms (VirusTotal, OTX, AbuseIPDB, Shodan) and commercial OSINT enrichment services. No interaction with attacker-controlled infrastructure occurred.
3. Local Evidence
Huntress's security team identified the malicious activity by pulling Salesforce and Gong query logs after Klue notified them of the incident. What they found was textbook automated exfiltration - just not the kind that sets off most SIEM rules on day one.
The Behavioral Signature
The clearest artifact in the Salesforce API logs was the User-Agent string. Approximately 811 requests carried Python-urllib/3.12, with a handful of additional requests carrying blank User-Agents or an anomalous string logged as "User-Agent 5238." No legitimate SaaS integration sends Salesforce API requests with a raw Python standard library User-Agent. Klue's own integration, like any production vendor platform, would identify itself properly. This was someone running a script they wrote themselves.
The API Call Pattern
| Phase | Endpoint | Purpose |
|---|---|---|
| Reconnaissance | GET /services/data/v59.0/sobjects | Enumerate all available CRM object types - drawing a map before stealing |
| Exfiltration | GET /services/data/v59.0/query + QueryMore cursor | Bulk extraction of CRM records, paginated until dataset exhausted |
At peak, one victim saw approximately 1,000 API queries in a 15-minute window. Other victims showed more patient behavior: slow, steady extraction over 6-hour windows. The variation suggests either the attacker was adjusting speed per target or had multiple operators running sessions simultaneously.
What Was Taken
Across confirmed victims: CRM contact records, sales communications, pricing and quote data, competitive intelligence reports, account records, and deal information. What was explicitly not taken: passwords, payment card data, threat intelligence feeds, customer telemetry, or engineering systems. The attacker wanted CRM data - exactly the kind of material that creates leverage in an extortion scenario.
4. OSINT & Infrastructure Investigation
4.1 Attacker IP Enrichment
Four IP addresses were cited across vendor reports. We ran all four through full dossiers covering AbuseIPDB, VirusTotal, OTX, GreyNoise, ThreatFox, and Shodan. Two came back with direct, named confirmation. Two did not meet the confirmation threshold and were excluded from this report.
| IP Address | ASN / Provider | Country | OTX Pulse | Confidence |
|---|---|---|---|---|
212.86.125[.]24 | AS57960 - Virtual Systems LLC (VSYS) | Ukraine | Named Klue pulse | High |
94.154.32[.]160 | Stellar Group / SKAYVIN-BROADBAND-UA | France / Ukraine | Named Klue pulse | High |
The OTX pulse confirming both IPs is titled "Klue Integration Abused in Salesforce Data Theft | Threat Spotlight" - the ReliaQuest report by name. Published June 18–19, it represents community confirmation.
Infrastructure profile: All confirmed IPs are cheap VPS nodes routing through Ukrainian budget VPS providers. None had prior AbuseIPDB reports. None appeared in GreyNoise's mass-scanning datasets. This is purpose-built, freshly provisioned attack infrastructure with zero historical fingerprint.
4.2 The Australian Extortion Domains
The connection between these domains and the Klue incident comes directly from Huntress's own first-party forensic disclosure. As a confirmed Klue victim, Huntress published the sender domains of the extortion emails they received after their Salesforce data was stolen. We did not independently discover this link — Huntress established it and we enriched it. The specific domain names are listed in the IOC table (Section 5), sourced to Huntress.
These are not Icarus-controlled infrastructure. They are compromised legitimate Australian retail businesses whose email sending capability was hijacked to make extortion emails pass spam filters and appear credible. Our OSINT work on these domains began after Huntress identified them as the extortion delivery mechanism.
We ran full OSINT dossiers on all three. The most significant finding wasn't the malware history — it was what the three domains have in common with each other.
Shared Infrastructure - Single Corporate Group
| Infrastructure Layer | Domain A | Domain B | Domain C | Match |
|---|---|---|---|---|
| Nameserver Provider | onlydomains.com | onlydomains.com | onlydomains.com | Identical |
| MX Records | *.mail.protection.outlook.com | *.mail.protection.outlook.com | *.mail.protection.outlook.com | Identical |
| Email Marketing | Emarsys (217.175.192.19 / 185.4.123.101) | Emarsys (same IPs) | Emarsys (same IPs) | Identical |
| SPF Shared Sender | spfa.cpmails.com | spfa.cpmails.com | spfa.cpmails.com | Identical |
All three domains belong to what appears to be the same Australian retail corporate group or share a common managed service provider. The implication: Icarus likely needed to compromise one shared service - the cpmails.com bulk sending account or the Emarsys platform - to obtain sending capability across all three domains simultaneously.
4.3 Credential Exposure Correlation
Open-source intelligence enrichment identified that an administrator of one of the three compromised domains had a machine captured by an infostealer at some point prior to this investigation. A Magento backend admin session was present in the credential data. The session key is long expired, but the capture confirms at least one administrator had a compromised machine. Whether that is the vector Icarus used to access the email sending credentials for this domain is unconfirmed — but it is the most plausible hypothesis.
4.4 Prior Malware History
OSINT enrichment on one of the three domains returned a Nymalm Trojan association from 2023. This is a separate, older compromise — not directly linked to the Icarus campaign — but it indicates this infrastructure has been under adversary attention for some time. The 2023 association predates Icarus's April 2026 establishment, so there is no operational connection. It is additional context that these are not pristine domains.
4.5 A Domain We Excluded - And Why It Matters
During infrastructure pivoting on 212.86.125.24, Shodan passive DNS returned a co-hosted hostname: attilexag.com. Active mail/SMTP services, February 2026 registration, on the same VPS as a confirmed Icarus IP - it looked interesting.
Then we checked the timestamps. RDAP records show the domain was suspended April 30, 2026 - six weeks before the Klue attack on June 11. The SMTP last-seen epoch (~Feb 12, 2026) aligns with the registration date, meaning the domain was active only briefly after registration and then went dark before the attack started. This is a co-location artifact from a previous VPS tenant, nothing more.
IOC discipline note: We are documenting this exclusion because "looked interesting but was actually noise" is worth capturing. Adding a domain to a threat report because it co-hosted on the same cheap VPS is how false positives propagate through the community and end up in production blocklists for years. Co-location on shared infrastructure is not attribution.
5. Indicators of Compromise
Network Indicators - Confirmed
| Indicator | Type | Context | Confidence |
|---|---|---|---|
212.86.125[.]24 | IP | Attacker Salesforce API query infrastructure. Ukraine, AS57960 Virtual Systems LLC. OTX-confirmed Klue campaign pulse. | High |
94.154.32[.]160 | IP | Attacker Salesforce API query infrastructure. France/UA, Stellar Group / SKAYVIN-BROADBAND-UA. OTX-confirmed Klue campaign pulse. | High |
gofile[.]io | Service / Domain | Legitimate public file-sharing service used as dead-drop for stolen CRM data samples in extortion communications. | High |
house[.]com[.]au | Domain (Victim / Weaponized) | Compromised AU retail domain used to deliver extortion emails. Not Icarus-controlled. Nymalm Trojan association in OSINT data (2023). | High |
robinskitchen[.]com[.]au | Domain (Victim / Weaponized) | Compromised AU retail domain used to deliver extortion emails. Shares Emarsys, cpmails.com SPF, onlydomains.com NS with the other two AU domains. | High |
baccarat[.]com[.]au | Domain (Victim / Weaponized) | Compromised AU retail domain used to deliver extortion emails. Magento admin session URL identified in open-source credential exposure data. | High |
e6ujsppajgb756x7x5ykdryvlcjynltb52eiwi6pd4bfwo6hddd6neid[.]onion | Onion / Dark Web Infrastructure | Icarus group dark web leak site (DLS). Active as of June 19, 2026. Klue.com victim listing confirmed present. Source: ransomware.live, corroborated by Telegram breach monitoring. | High |
Behavioral Indicators
| Indicator | Type | Context | Confidence |
|---|---|---|---|
Python-urllib/3.12 | User-Agent | Used in 811 confirmed malicious Salesforce API requests (Huntress first-party). Also seen as blank UA and "User-Agent 5238". Anomalous for any legitimate SaaS integration. | High |
GET /services/data/v59.0/sobjects | API Endpoint | Salesforce REST API object catalog enumeration. Reconnaissance phase. | High |
GET /services/data/v59.0/query | API Endpoint | Salesforce REST API bulk query with QueryMore cursor. Exfiltration phase. | High |
Explicitly Excluded
| Indicator | Reason |
|---|---|
attilexag[.]com | Co-hosted on confirmed Klue IP (212.86.125.24) in Shodan passive DNS, but domain was suspended April 30, 2026 - six weeks before the June 11 attack. Dead prior tenant on a shared VPS. Not related to the Icarus campaign. |
6. MITRE ATT&CK Mapping
All techniques were directly evidenced in public disclosures from first-party victims. No speculative additions.
| Tactic | Technique | ID | Evidence |
|---|---|---|---|
| Initial Access | Trusted Relationship | T1199 | Klue's integration layer used as entry point. Dormant service account from abandoned prototype integration was the root credential. |
| Defense Evasion | Use Alternate Auth Material: Application Access Token | T1550.001 | Stolen OAuth tokens used for Salesforce access. Bypasses MFA and login alerting entirely. |
| Discovery | Account Discovery | T1087 | /services/data/v59.0/sobjects enumeration of CRM object catalog. |
| Discovery | Cloud Infrastructure Discovery | T1580 | Systematic mapping of accessible Salesforce data structures per victim. |
| Collection | Data from CRM Software | T1213.003 | Bulk extraction of CRM records: contacts, accounts, deals, pricing, competitive intel, sales communications. |
| Collection | Remote Data Staging | T1074.002 | Records paginated via QueryMore cursor and staged in bulk. |
| Exfiltration | Automated Exfiltration | T1020 | Python scripts ran automated, high-volume queries (~1,000 calls in 15 min peak; sustained 6-hour sessions across other victims). |
| Exfiltration | Exfiltration Over Web Service | T1567 | Stolen data staged on gofile.io as extortion proof material. |
| Impact | Financial Extortion | T1657 | Extortion demands via email (signed "mr bean") and Session Messenger. Victims posted to Icarus dark web leak site. |
7. Incident Timeline
| Date | Event |
|---|---|
| April 2026 | Icarus extortion group established. Dark web leak site launched. |
| 2026-06-11 | Icarus uses dormant Klue service account to push malicious code update to integration layer. OAuth tokens harvested. Automated Salesforce exfiltration begins across multiple victim organizations. |
| 2026-06-11 - 2026-06-12 | ~24-hour sustained exfiltration window. Peak: ~1,000 queries in 15 minutes at one victim. Other victims show slower 6-hour extraction patterns. |
| 2026-06-12 (morning) | Klue detects anomalous activity. Containment initiated. Affected OAuth tokens revoked. |
| 2026-06-17 | Recorded Future publishes advisory. Salesforce disables Klue Battlecards integration platform-wide. Extortion emails begin arriving at victim organizations. |
| 2026-06-17 - 2026-06-18 | Huntress publishes first-party forensic disclosure. ReliaQuest, Obsidian Security, BleepingComputer publish technical analyses. |
| 2026-06-18 - 2026-06-19 | OTX pulses created for confirmed IPs. CRIMSON7 enrichment and infrastructure investigation conducted, including AU domain OSINT, credential exposure correlation, and attilexag.com timestamp debunk. |
| 2026-06-19 | Icarus publishes Klue.com victim listing on dark web leak site. Ransom note explicitly states that partner companies' Salesforce instances were also exfiltrated, confirming the supply chain blast radius. |
| 2026-06-20 | Icarus posts "DEADLINE-MONDAY" update targeting klue.com - payment deadline set for approximately June 23, 2026. thecreditpros.com confirmed as downstream supply chain victim: 263MB of Salesforce data including 847,990 contact records with SSNs and 722,403 credit card records published to the DLS on June 16. |
8. Key Takeaways
1. Abandoned credentials are active attack surface. The root cause here wasn't a zero-day or a novel technique - it was a service account that was never deleted. A Klue engineer created it to test a prototype integration that was never deployed. The account sat there, quietly, for an indeterminate period, until Icarus found it. Credential lifecycle management is not a glamorous control to champion in a board meeting, but this incident illustrates exactly what happens when it fails. Audit your integration accounts. Define an expiration policy. Expire the ones that aren't in use. Automate it if you can.
2. OAuth tokens need to be treated like session tokens, not like passwords.
Most organizations have employee offboarding processes that revoke passwords. Very few have equivalent processes for OAuth grants. An OAuth token issued to a third-party integration persists until explicitly revoked - it survives password resets, bypasses MFA, and produces API activity that looks exactly like the integration it belongs to. If your SaaS estate is extensive (and it almost certainly is), you likely have OAuth grants you do not remember issuing. Connected Apps in Salesforce Setup gives you the list. Go look at it.
3. Salesforce API logs are detection gold you are probably not mining.
The attack generated a clear behavioral signature: Python-urllib/3.12 User-Agent, high-volume /query endpoint calls, off-hours service account activity against /sobjects. All of that is visible in Salesforce Event Monitoring logs. The question is whether those logs are flowing into your SIEM and whether you have detections built for them. The behavioral indicators in Section 5 are a starting point.
4. Shared infrastructure amplifies blast radius.
The three Australian extortion domains share nameservers, MX records, email marketing infrastructure (Emarsys), and SPF sending domain (cpmails.com). A single compromise of that shared layer likely gave Icarus email sending capability across all three simultaneously. Organizations that share IT infrastructure with partner entities or managed service providers should understand that a compromise of shared services can have blast radius extending well beyond their own perimeter.
5. CRM data is extortion-ready data - treat it accordingly. The Icarus operation was not interested in threat intelligence feeds, engineering systems, or payment data. It was interested in CRM records: contacts, deals, pricing, competitive intel. This is precisely the kind of material that creates leverage in an extortion scenario - it is specific to the victim, embarrassing to have exposed to competitors, and hard to claim "nobody was harmed." If your Salesforce instance holds commercially sensitive information (and it almost certainly does), apply the same security posture to CRM access that you would apply to your source code or financial data.
9. Attribution & Threat Actor Context
Threat Actor: Icarus
Established: April 2026
Primary motive: Financial extortion. No evidence of espionage objectives.
Communication: Session Messenger alias "mr bean" used for victim negotiations.
Infrastructure: Fresh-provisioned cheap VPS nodes (VSYS/Virtual Systems LLC, Sollutium). No reuse of historically flagged infrastructure. Purpose-built per campaign.
Dark web presence: Active leak site at e6ujsppajgb756x7x5ykdryvlcjynltb52eiwi6pd4bfwo6hddd6neid.onion. Three confirmed victim listings: Cazh.id (May 5, 2026 - unrelated to Klue), thecreditpros.com (June 16, 2026 - confirmed Klue downstream victim), and Klue.com (June 19, 2026). On June 20, Icarus posted a "DEADLINE-MONDAY" notice setting a payment deadline of approximately June 23, 2026. thecreditpros.com is a confirmed downstream supply chain victim - their Salesforce instance was accessed via the Klue integration, not through a separate intrusion.
Attribution confidence: High that Icarus is responsible for this campaign. OTX community confirmation, first-party victim disclosures, and consistent alias/TTP pattern across reports.
Dark Web Leak Site — Screenshots
Relationship to prior Salesforce OAuth actors: The attack pattern is thematically similar to UNC6040/ShinyHunters (June 2025) and UNC6395 (August 2025), both of which exploited the Salesforce OAuth integration ecosystem. However, tooling, initial access vector, and communication infrastructure differ. Thematic similarity is not attribution. Icarus is treated as a distinct actor at current confidence level.
10. References & Sources
Primary Sources
- Recorded Future - Klue Security Incident Disclosure (June 17, 2026). First public advisory by an affected Klue customer.
- Huntress - First-party forensic disclosure. Primary source for User-Agent strings, API endpoints, attacker IPs, and extortion domain identification (June 17–18, 2026).
- ReliaQuest - Threat Spotlight: Klue Integration Abused in Salesforce Data Theft (June 18, 2026). Source for OTX pulse naming and additional IP confirmation.
- Obsidian Security - Klue campaign analysis. Additional technical analysis of the OAuth token abuse pattern.
- BleepingComputer - Icarus / Klue incident coverage. Community-facing aggregation of vendor disclosures.
Enrichment Sources
- AlienVault OTX - IP and domain pulse verification
- VirusTotal - Multi-engine IP/domain reputation
- AbuseIPDB - Historical IP abuse reports
- Shodan - Passive DNS, co-hosting analysis, service enumeration
- GreyNoise - Mass-scanner and noise classification
- ThreatFox - Malware IOC correlation
- Commercial OSINT enrichment platform - Credential exposure analysis (compromised admin session and malware history on two of the three AU extortion domains)
Related MITRE ATT&CK Techniques
T1199 T1550.001 T1087 T1580 T1213.003 T1074.002 T1020 T1567 T1657
All external threat actor infrastructure observed in this investigation was enriched via passive open-source intelligence only. No interaction with attacker-controlled systems occurred beyond standard threat intelligence API queries. No systems were modified, disrupted, or accessed beyond read-only enrichment.
CRIMSON7 Security Operations - https://crimson7.io