A threat actor called Icarus compromised Klue’s backend systems, stole OAuth tokens for Salesforce and Gong, and used them to query customer CRM data through automated API calls. The campaign later expanded into extortion against victims including Huntress, with confirmed theft of business contacts, price quotes, and sales communications. #Icarus #Klue #Salesforce #Gong #Huntress
Keypoints
- Klue’s backend systems were compromised on June 11, 2026, affecting a platform used by enterprise customers to sync competitive battlecard data with CRM environments.
- The attacker harvested OAuth tokens for Salesforce and Gong, then used automated API calls to query connected environments.
- The threat group self-identifies as Icarus and has been active since at least April 28, 2026.
- Huntress confirmed that CRM data was stolen, including business contacts, price quotes, and sales communications.
- The intrusion appears to have started from a dormant credential created for a prototype integration, not from phishing or exploit activity.
- Extortion emails began on June 16 with the subject line “top secret email,” demanding contact via Session Messenger within 48 hours.
- Datadog identified read-heavy Salesforce API activity, failed queries, QueryMore usage, and other behavioral indicators tied to automated data exfiltration.
MITRE Techniques
- [T1528 ] Steal Application Access Token – The actor harvested OAuth tokens for Salesforce and Gong to access connected environments (‘harvested OAuth tokens for Salesforce and Gong’).
- [T1190 ] Exploit Public-Facing Application – Not directly described as exploitation, but the compromise of backend integration infrastructure enabled external access to customer environments (‘compromised backend systems at Klue’).
- [T1078 ] Valid Accounts – The attacker abused a dormant credential and then used authenticated access through OAuth to reach Salesforce data (‘gained initial access through a dormant credential’, ‘using OAuth refresh tokens to maintain API access’).
- [T1021 ] Remote Services – The actor accessed customer Salesforce orgs remotely through API-authenticated sessions (‘began querying those environments through automated API calls’).
- [T1213 ] Data from Information Repositories – The attacker queried Salesforce objects such as Opportunity, Case, Contact, and Account to collect stored CRM data (‘queried standard Salesforce objects through the API’).
- [T1041 ] Exfiltration Over C2 Channel – Data was exfiltrated over Salesforce REST API traffic using Query and QueryMore requests (‘used QueryMore’, ‘exfiltrate data quickly’).
- [T1105 ] Ingress Tool Transfer – Not explicitly stated, but the attacker’s Python scripts were used to execute the abuse workflow (‘the threat actor ran scripts’).
Indicators of Compromise
- [IP address ] Threat actor infrastructure confirmed by Klue for correlation with Salesforce logs – 138.226.246[.]94, 212.86.125[.]24, and 2 more IPs
- [User agent ] Observed in malicious Salesforce API activity, likely Python-based tooling – Python-urllib/3.12, Python-urllib/3.14, and 1 more item
- [Application / connected app name ] OAuth access used in Salesforce logs – Klue Battlecards
- [API endpoint ] Malicious Salesforce query activity targeted the REST API query endpoint – /services/data/v59.0/query/*, /services/data/v59.0/query*
- [Event fields / log indicators ] Detection fields used to identify activity in Salesforce logs – application, connected_app_name, login_sub_type, entity_name, queried_entities
- [Salesforce objects ] Most heavily targeted queried entities during exfiltration – Opportunity, Case, Task, and 7 more objects
- [Messaging / extortion artifact ] Extortion emails used a specific subject and contact method – “top secret email”, Session Messenger
Read more: https://securitylabs.datadoghq.com/articles/detecting-the-klue-supply-chain-attack-in-salesforce/