icarus

Icarus is a newly emerged cybercrime extortion group active since at least April 2026. In the provided reporting, Icarus claimed responsibility for the June 2026 supply-chain attack involving Klue, a market intelligence platform, and the downstream compromise of multiple customers’ Salesforce environments. Public reporting and victim statements describe Icarus as a ransomware or extortion group operating a Tor-based leak site and threatening to publish stolen data unless ransom demands were met. According to the content, Icarus gained access to Klue using a compromised legacy credential tied to an integration service or limited 2022 pilot, then harvested or generated OAuth tokens used by Klue integrations. The group used those tokens to access connected third-party platforms, especially Salesforce, and exfiltrated data in bulk. Reporting also states the attackers implanted or pushed malicious code in Klue’s environment, enumerated victim Salesforce environments through the REST API, and used automated scripts, including Python scripts, to map CRM structures and steal targeted data over sustained periods. The group’s activity in this incident was focused on data theft and extortion rather than disruptive encryption. Stolen data was consistently described as business contact information, CRM records, support case data, sales-related information, pricing quotes, account data, and related business records. Multiple organizations were publicly identified as affected through the Klue compromise, including Huntress, LastPass, BeyondTrust, HackerOne, Jamf, OneTrust, Recorded Future, Snyk, Tanium, Insurity, Sprout Social, Gong, 8x8, Pendo, and others. Icarus added Klue and several customers to its leak site and directly threatened release of the stolen information. The content does not provide high-confidence attribution of Icarus to any nation state. Huntress is cited as attributing the Klue intrusion to Icarus with high confidence, while other reporting noted disputed attribution involving ShinyHunters; therefore only the direct reporting that Icarus claimed responsibility and was independently linked by Huntress to the incident is high confidence here. No aliases or sub-groups beyond the name Icarus are directly supported in the content.