🏴‍☠️ Icarus

Threat-actor battle card · maintained from public sources · last updated 2026-06-25 · also known as tracked by some as UNC6395 (overlap disputed); extortion alias "mr bean"/"mb"

CategoryData-theft extortion

AttributionFinancially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed)

First seen2026-04-28

StatusActive

Rank#6

Recent victims · last ~9d10

All-time victims12

Primary targetsSaaS supply-chain (OAuth/CRM integration providers), enterprise Salesforce environments

Overview

Icarus is a data-theft extortion group that surfaced in April 2026, claiming operational activity since April 28, 2026. It came to prominence in June 2026 as the actor behind the Klue supply-chain breach — a single compromised middleware vendor that yielded simultaneous access to the Salesforce CRM environments of hundreds of downstream enterprises. The group has no traditional encryption capability; it is purely an exfiltration-and-extortion operation with a deadline-driven leak site. Its branding is notably casual ("shawty sorry for leaking ur data. dm to resolve. <3"), and extortion emails are signed with the alias "mr bean" ("mb"). Some trackers map the activity to UNC6395 (Google GTIG's designator for the 2025 Salesloft Drift OAuth campaign), but the tooling differs (generic Python-urllib vs. the original custom fetcher), so the overlap is disputed.

Tradecraft

• Supply-chain / OAuth-token abuse (T1199 / T1195 / T1528): Initial access at Klue via a dormant-but-active legacy credential created for a prototype third-party integration and never decommissioned. Attackers pushed a malicious code update into Klue's integration infrastructure to harvest customer OAuth tokens for Salesforce, Gong and other connected platforms.
• Cloud data theft (T1078.004 → T1530): Automated Python scripts queried the Salesforce REST API (/services/data/v59.0/query/) for ~24 hours per victim, using QueryMore to defeat the 2,000-record API page limit and pull full CRM datasets.
• Infrastructure / evasion: Exfiltration routed through datacenter/VPS IPs in the Netherlands, France and Ukraine; extortion email sent through the compromised mail servers of an Australian retailer ("Global Retail Brands") to pass SPF/DMARC. Negotiation steered to Session Messenger.
• Extortion model: 48-hour deadlines, "top secret email" notices from June 16; published stolen Salesforce data on its leak site after deadlines lapsed (Huntress named among the first sets, June 22).

Notable victims

• Klue (Canadian market-intelligence / "Battlecards" SaaS) — patient zero; OAuth integration infrastructure compromised June 11-12, 2026. BleepingComputer
• Downstream Salesforce victims (12+ confirmed; leak site named ~200) — LastPass, Huntress, Recorded Future, Tanium, Jamf, HackerOne, Snyk, Kudelski Security, Insurity, Gong, Sprout Social, OneTrust. Data limited to go-to-market CRM/contact records (business contacts, pricing, sales comms, opportunity notes); no password vaults or engineering data. SecurityWeek
• LastPass — confirmed June 24, 2026; CRM/contact data exposed, vault data unaffected. BleepingComputer

Assessment

Icarus exemplifies the SaaS supply-chain / OAuth-abuse threat model that defined the 2025-26 Salesforce data-theft wave (Salesloft Drift, Gainsight, and now Klue): a single dormant integration credential at a middleware vendor bypasses endpoint, network and MFA controls and cascades into hundreds of downstream CRM tenants at once. The group is operationally competent but not sophisticated — it relies on credential hygiene failures and OAuth-scope over-permissioning rather than novel exploits, and its tooling is commodity Python. The asymmetry is what makes it dangerous: low effort, very high blast radius, and victims who learn of the breach only when their data appears on a third party's leak site. Structural mitigation for enterprises: inventory and revoke dormant OAuth and integration credentials, scope connected-app permissions to least privilege, monitor Salesforce REST API query volume for anomalous bulk reads, and treat third-party SaaS integrations as part of the attack surface, not a trusted boundary.

Sources

• BleepingComputer — Klue OAuth breach linked to Icarus Salesforce data-theft attacks
• BleepingComputer — Klue OAuth breach victim list grows as Icarus hackers claim attack
• SecurityWeek — More cybersecurity firms disclose impact from Klue hack
• BleepingComputer — LastPass confirms data breach in Klue supply-chain attack
• Huntress — Klue breach investigation

🗂️ Attacks & victims

All disclosed victims attributed to this actor, newest first.

June 2026

Jun 24 LastPass Icarus Extortion · password management · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 1d ago · go-to-market team CRM/contact data in Salesforce exposed via Klue OAuth tokens (customer names, phone, email, postal address, support-case and sales records); LastPass notified June 12, revoked Klue access, rotated API tokens, notified law enforcement; vault/credential data not affected · Sources: BleepingComputer · CyberInsider

Jun 23 OneTrust Icarus Extortion · governance risk and compliance software · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 2d ago · Salesforce CRM data · Sources: SecurityWeek

Jun 22 Klue Icarus Extortion · market intelligence · Canada 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · OAuth integration credential compromised June 11-12; malicious code pushed to harvest customer OAuth tokens; Salesforce integrations revoked June 12; CrowdStrike engaged for IR · Sources: SecurityWeek · BleepingComputer

Jun 22 Huntress Icarus Extortion · cybersecurity · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Salesforce CRM data exfiltrated (business contacts, pricing, sales comms, opportunity notes); no threat data/passwords/engineering data affected · Sources: Huntress · SecurityWeek

Jun 22 Recorded Future Icarus Extortion · cybersecurity · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · client contact names, email addresses, potential contract info · Sources: SecurityWeek

Jun 22 Tanium Icarus Extortion · cybersecurity · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Salesforce CRM data · Sources: BleepingComputer

Jun 22 Jamf Icarus Extortion · IT management · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Salesforce CRM data · Sources: BleepingComputer

Jun 22 HackerOne Icarus Extortion · cybersecurity · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Salesforce CRM data · Sources: BleepingComputer

Jun 22 Snyk Icarus Extortion · cybersecurity · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Salesforce CRM data · Sources: BleepingComputer

Jun 22 Kudelski Security Icarus Extortion · cybersecurity · Switzerland 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Salesforce CRM data · Sources: BleepingComputer

Jun 22 Insurity Icarus Extortion · insurance software · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Salesforce CRM data · Sources: BleepingComputer

Jun 22 Gong Icarus Extortion · sales intelligence · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Salesforce CRM data · Sources: BleepingComputer

Jun 22 Sprout Social Icarus Extortion · social media management software · US 🟩 Corroborated · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Salesforce CRM data accessed through Klue OAuth integration · Sources: BleepingComputer

Jun 22 HDS Icarus Extortion · unknown · — 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Sources: ransomware.live DLS

Jun 22 Gms-net Icarus Extortion · unknown · — 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Sources: ransomware.live DLS

Jun 22 Cqcrm Icarus Extortion · unknown · — 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Sources: ransomware.live DLS

Jun 22 Cbassociations Icarus Extortion · unknown · — 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 3d ago · Sources: ransomware.live DLS

Jun 16 thecreditpros.com Icarus Extortion · unknown · United States 🟥 Claimed (leak-site) · 🏴‍☠️ Financially motivated cybercrime; immature/casual leak-site branding; infrastructure spans NL/FR/UA VPS hosting (origin unattributed) · #6 active · 12 total · disclosed 9d ago · Sources: ransomware.live DLS

---

← All threat actors · Full victim database →