Icarus
Cybercrime — data extortion · Financial — data extortion and leak-site pressure
Tactics, Techniques & Procedures (TTPs)
- Dormant/legacy service account credential abuse for initial access
- OAuth token harvesting from third-party SaaS integration infrastructure
- Salesforce REST API bulk data extraction via QueryMore cursor (24+ hour query loops)
- Python-urllib user-agent automated scripting for CRM object enumeration
- Extortion via Session encrypted messaging application with 48-hour deadlines
- SaaS supply chain pivot: compromise one vendor to access hundreds of downstream customer environments
Known Targets
Analyst Notes
Icarus is a newly active extortion group whose first known activity dates to April 28, 2026. The Klue/Salesforce breach (June 2026) is their highest-profile operation to date. Entry was via a dormant prototype integration credential at Klue; from there, Icarus pushed a code update to Klue's integration infrastructure to harvest OAuth tokens connected to customer Salesforce environments. The tokens enabled authenticated Salesforce REST API queries that appeared as legitimate Klue traffic — bypassing standard anomaly detection. Automated Python scripts ran QueryMore extraction loops for over 24 hours in some environments, executing nearly 1,000 API queries within 15 minutes in at least one case. Data extracted included CRM contacts, price quotes, deal pipeline data, and sales communications. Salesforce disabled the Klue integration on June 11, 2026. Icarus listed Klue on their leak site on June 19, 2026. This attack pattern — SaaS supply chain OAuth token pivoting — mirrors techniques previously seen in Salesloft Drift and Gainsight integration compromises. Huntress assessed no current connection between Icarus and ShinyHunters or UNC6395 despite tactical similarity.
Also Known As
MITRE ATT&CK Techniques