Klue Supply Chain Compromise Impact Hits Huntress, Recorded Future, and More

A threat actor compromised Klue, a market-intelligence platform that integrates with Salesforce and other sales/marketing SaaS tools. The actor stole the OAuth tokens Klue’s customers used to connect their CRMs, then used those tokens to query and bulk-exfiltrate Salesforce (and Gong) data directly from victim environments. Confirmed victims include Huntress and Recorded Future, alongside numerous other Klue customers (several of them cybersecurity firms). The activity fits the broader 2025–2026 Salesforce OAuth-abuse wave (Salesloft Drift, Gainsight) but is attributed by Huntress with high confidence to a new extortion group, “Icarus.”

Severity: Critical

Timeline

Threat Actor

• Alias: “mr bean” (signs “mb”); affiliated extortion brand “Icarus”
• Attribution: Session Messenger IDs in the extortion emails matched the IDs posted on the Icarus dark-web leak site, including a corrected ID that changed on both the email and the leak page in lockstep.
• Alternative hypotheses (ReliaQuest): Objective and approach mirror ShinyHunters; closest analog (Drift token abuse) tied to UNC6395. ReliaQuest could neither confirm nor rule out either group. Tooling differs from UNC6395 (which used python-requests, Salesforce-CLI, Salesforce-Multi-Org-Fetcher, often via Tor); this actor used generic Python-urllib and datacenter/VPS hosting.
• Motivation: Financial data-theft extortion. No leak published at time of reporting (Gofile content already expired/removed).

Attack Chain

1. Initial access: Abuse of a long-dormant but still-active credential originally created by Klue to prototype an abandoned third-party integration (Huntress).
2. Foothold: Pivot into Klue infrastructure; pushed a code update capable of harvesting customer OAuth tokens; established remote access for command execution.
3. Credential theft: Collected OAuth tokens (incl. refresh tokens) for Klue customers’ connected SaaS.
4. Discovery: Enumerated Salesforce object catalog via GET /services/data/v59.0/sobjects.
5. Collection/Exfil:
   • Tooling: Automated scripts utilizing generic Python-urllib user-agent strings (specifically Python-urllib/3.12 and Python-urllib/3.14).
   • Query Profile: Attackers enumerated Salesforce object catalogs via GET /services/data/v59.0/sobjects and systematically extracted data using the /services/data/v59.0/query endpoint alongside the QueryMore cursor.
   • Behavior pattern: slow ~24-hr blend-in pull, plus a burst of ~1,000 queries in 15 minutes and sustained 6+ hr windows.
6. Possible recon of defenses: Unverified reporting that the actor queried one victim’s own detection tooling.
7. Extortion Delivery: Extortion emails were funneled through compromised mail servers belonging to Global Retail Brands (an Australian retailer), producing valid SPF and DMARC headers to evade spam filters. Conducted outreach via email using the alias “mr bean” / “mb”. Victims were given a 48-hour deadline to negotiate via the secure messaging application Session.

Impact Assessment

Confirmed Affected Organizations

• Huntress: Confirmed exposure of Salesforce CRM data, including business contacts, price quotes, marketing materials, and sales-related communications. No endpoint telemetry, proprietary threat data, or credentials were stolen.
• Recorded Future: Confirmed incidental exposure via the integration layer. Impacted fields were limited to Salesforce database contents such as client names, business contract fields, and email addresses. Core platform infrastructure remained unaffected.

Recommendations

1. Revoke + rotate everything tied to the Klue integration: service-account passwords, refresh tokens, client secrets, active OAuth grants.
2. Search Salesforce/Gong API logs for high query volume, repeated QueryMore pagination, the listed user-agents, and access from the IOC IPs / unfamiliar addresses. Specifically hunt for requests originating from: Python-urllib/3.12 or Python-urllib/3.14
3. Revoke active sessions for known-affected services; integration revocation alone may be insufficient given harvested credentials.
4. Request missing API/access logs from vendors as part of an active investigation.
5. Enforce IP allowlisting on third-party integration/connected-app accounts — and extend the same restriction to SIEM and SOAR APIs.
6. Review inboxes + spam for extortion mail from the IOC domains; preserve for forensics.
7. Inspect spam and active employee inboxes for extortion hooks using phrases like “top secret email” or references to communication over the Session platform.
8. Inventory all OAuth-connected third-party apps; scope to least privilege; treat connected-app identities like privileged accounts.
9. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/11e7faa1faa30d08bf52d14f86df217094b30de0e28c8fffc630a8fcfc7aa8ec/iocs

Source:

• https://help.app.klue.com/article/r24zhsaqrn-klue-security-updates-june-2026
• https://status.salesforce.com/generalmessages/20000257
• https://www.recordedfuture.com/blog/klue-security-incident
• https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft
• https://www.huntress.com/blog/klue-breach-investigation

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.