Skip to content
Ransomware group

icarus

Icarus is a data-extortion and ransomware-associated threat group that emerged publicly in 2026 and is most notably linked to the Klue supply-chain breach and downstream compromise of customer Salesforce environments.

Profile source: Mallory opens in a new tab

icarus

Family profile

Icarus is a data-extortion and ransomware-associated threat group that emerged publicly in 2026 and is most notably linked to the Klue supply-chain breach and downstream compromise of customer Salesforce environments. The group has been associated with theft of OAuth tokens and abuse of trusted third-party integrations rather than exploitation of a Salesforce platform vulnerability. In the Klue intrusion, Icarus reportedly used a valid but dormant legacy service credential to access Klue backend systems, implanted code to harvest customer OAuth tokens, and then used those tokens to query and exfiltrate data from connected SaaS platforms, especially Salesforce and in some cases Gong. Public reporting places the group within the broader trend of data-only extortion operations that prioritize exfiltration and coercive leak threats over disruptive encryption.

Icarus has targeted organizations through both direct victimization and supply-chain blast radius effects. Confirmed and claimed victims span technology, business services, financial services, and other sectors, with a concentration of downstream organizations affected through Klue’s Battlecards integration. Reported stolen information in these campaigns has primarily consisted of CRM and business data such as contact records, support information, business intelligence content, communications, and opportunity notes. The group has used leak-site postings and direct extortion communications to pressure victims, including deadlines for response and threats to publish stolen data.

Tradecraft attributed to Icarus includes use of valid accounts, abuse of OAuth trust relationships, token theft, API-based bulk data collection, automated querying of SaaS environments, and anti-forensic behavior consistent with modern extortion actors. Reporting indicates the group used automated scripts to perform high-volume Salesforce queries after obtaining access through compromised integrations. The actor’s operations illustrate a supply-chain intrusion model in which compromise of a single vendor enables access to many downstream customer environments.

Icarus is widely discussed in connection with the ShinyHunters data-extortion ecosystem. Multiple defenders tied the Klue extortion activity to a group calling itself Icarus, while separate reporting noted that an account claiming to be ShinyHunters also took credit for the same incident. Microsoft tracked the Klue-related actor cluster as Storm-3138, and broader industry reporting places Icarus alongside ShinyHunters in the rise of data-only extortion and SaaS-focused intrusions. Based on currently available information, the relationship appears operationally adjacent or overlapping, but a definitive public attribution establishing Icarus as a formal ShinyHunters subgroup is not available.

Known aliases and associated names include Icarus and the extortion alias “mr bean.” No reliable public evidence currently establishes a nation-state affiliation. The group is best characterized as a financially motivated extortion actor focused on SaaS data theft, supply-chain compromise, and coercive publication threats.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.