Icarus Threat Group Claims Salesforce Data Theft in Klue Supply Chain Breach

Executive Summary 

On 19 June 2026, the threat group Icarus claimed to have compromised and exfiltrated data from customers of Klue, specifically the Salesforce integration of the market intelligence platform. Salesforce has since disabled Klue integrations.  

Compromised Data Scope 

The impacted data may consist of business names, products trialed/used, subscription details (units, pricing), business contact info (full names, work emails, job title, phone number, and business addresses), marketing/sales communications, and opportunity notes (free-form fields where teammates capture and track thoughts and next steps).  

Key Takeaways 

• With matching data points, there is high confidence that the Icarus actor is responsible for the Klue compromise and this supply chain attack. 
• Security vendors including Recorded Future, Tanium, and Jamf have released statements on impact to their data. More statements are expected as others verify which data may have been touched or taken by the attackers.
• The Icarus actor states on their website that they have been active since April 28, 2026, and currently list two previous victims. 

Attack Timeline 

• 11 June: The Klue compromise began when anomalous behavior took place in a system connecting various integrations. Attackers pushed a code update capable of collecting OAuth tokens Klue customers use to connect Klue to their own systems.
• 12 June: Klue became aware of the anomalous behavior and noted unusual network connections to IP addresses the threat actor was using to remotely connect to the Klue backend servers and execute commands.
• 13 June: Klue staff disabled the remote access and removed the token-theft code from their servers, and issued a general alert to customers, which did not indicate which customers were impacted.
• 16 June: Emails began to appear in the inboxes of some targeted companies’ staff with the subject line “top secret email” and a warning: “Your data has been downloaded…You have 48 hours to communicate with us.”
• 19 June: Icarus listed Klue as one of their casualties on their leak site. 

TTPs (MITRE ATT&CK) 

• T1195 – Supply Chain Compromise: The threat actor leveraged a long-disused but still active credential originally created by Klue for a third-party integration prototype, then pivoted into Klue’s infrastructure to steal OAuth tokens and query customers’ CRM tools directly. 
• T1528 – Steal Application Access Token: The attackers pushed a code update capable of collecting OAuth tokens Klue’s customers use to connect Klue to their own systems. 
• T1078 – Valid Accounts: Huntress understands the threat actor leveraged a long-disused but still active credential to conduct the initial compromise. 
• T1530 – Data from Cloud Storage: Some of the affected companies report that data associated with Salesforce and Gong were successfully exfiltrated. Huntress’ integration with Klue involved Salesforce and Gong data. 
• T1657 – Financial Threats / Extortion: The actor advised Klue to contact them for “a swift resolution,” and separately advised affected companies to contact them via Session to protect their data. 
• T1071 – Application Layer Protocol: Most malicious requests to Salesforce targeted /services/data/v59.0/query/<STRING> with a User-Agent of 5238 or blank, with some Python-based User-Agent strings used in nearly 900 queries.  

Indicators of Compromise (IOCs) 

Klue’s notification includes a non-exhaustive list of IP addresses from which the threat actor accessed sensitive information. The IPs belong to ISPs based in the Netherlands, France, and Ukraine:  

• 138[.]226[.]246[.]94
• 212[.]86[.]125[.]24
• 213[.]111[.]148[.]90
• 94[.]154[.]32[.]160 

Note: the 138[.]226[.]246[.]94 address is connected to spam campaigns from March 2026.  

Extortion emails originated from domains belonging to subsidiaries of “Global Retail Brands,” an Australian retailer. Huntress believes the adversary leveraged their mail server as compromised infrastructure:  

• house[.]com[.]au
• robinskitchen[.]com[.]au
• baccarat[.]com[.]au 

The threat actor has historically provided samples of exfiltrated data on the dead-drop site gofile[.]io 

Mitigation Options 

• Review logs for known IOCs: Review the IOCs provided by Klue and cross-reference log data from Salesforce, Klue, and other potentially affected OAuth applications configured through Klue. 
• Request missing logs from vendors: Some services may not have API/access logs readily available. Contact vendors to request missing logs, clarifying they are part of an active security investigation. Response times will vary depending on vendor SLAs.
• Revoke sessions for affected services: As this scenario was predicated on harvested credentials, revoking service integrations may be insufficient for remediation. Consider revoking all active sessions for known-affected services to invalidate any potentially compromised sessions. 
• Review email inboxes and spam folders: The threat actor’s emails may have been delivered to Spam folders. Inboxes should be reviewed for communications related to the IOC domains or similar phrasing. If identified, retain them for forensic purposes. 
• Engage cyber insurance provider: If cyber defenders find evidence of improper data exfiltration, engage cyber insurance provider to assist with investigation, remediation, and after-action items. These may vary significantly based on the scope of impact. 
• Audit dormant credentials: The threat actor leveraged a long-disused but still active credential that was originally created by Klue for a third-party integration prototype they later abandoned. Audit and deactivate all dormant OAuth and third-party integration credentials.