Cyber Threat Brief — June 22 2026
⚠️ This report is AI-generated. Always validate findings.
1. Klue/Icarus SaaS Supply Chain — Salesforce OAuth Token Theft
TL;DR: Icarus extortion group compromised Klue’s integration backend June 11, harvested OAuth tokens, and exfiltrated Salesforce CRM data from Huntress, Recorded Future, Tanium, and others. As of today June 22, Klue publicly acknowledged the breach and Icarus listed them on their leak site.
What’s New:
- June 22: Klue public acknowledgement; Icarus leak site listing
- Huntress published investigation blog with IOCs (June 19)
- Attacker used compromised legacy credential to push code harvesting OAuth tokens
- Python-urllib automated Salesforce API enumeration and data exfiltration
- Extortion emails sent via compromised Australian retailer mail servers (valid SPF/DMARC)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
138.226.246.94 | Attacker IP | T1199 | Salesforce login history / SIEM | Block and hunt |
212.86.125.24 | Attacker IP | T1199 | Salesforce login history / SIEM | Block and hunt |
213.111.148.90 | Attacker IP | T1199 | Salesforce login history / SIEM | Block and hunt |
94.154.32.160 | Attacker IP | T1199 | Salesforce login history / SIEM | Block and hunt |
Python-urllib/3.12 | User-Agent | T1106 | Salesforce API logs / proxy | Alert on non-browser UA hitting Salesforce API |
Python-urllib/3.14 | User-Agent | T1106 | Salesforce API logs / proxy | Alert on non-browser UA hitting Salesforce API |
GET /services/data/v59.0/sobjects | API endpoint | T1087 | Salesforce API logs | Alert on object catalog enumeration |
GET /services/data/v59.0/query + QueryMore | API pattern | T1005 | Salesforce API logs | Alert on bulk query with cursor pagination |
| Burst of ~1000 queries in 15 min | Query pattern | T1005 | Salesforce API logs | Alert on anomalous query volume |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Salesforce OAuth token abuse detection |
| Elastic | None | No SaaS supply chain OAuth exfil rule |
| Sigma | None | No Salesforce API anomaly rule |
Sources: Huntress Blog · SecurityWeek · BleepingComputer · Obsidian Security
2. DragonForce Backdoor.Turn — C2 via Microsoft Teams TURN Relays
TL;DR: DragonForce ransomware operators deployed Backdoor.Turn, a custom Go RAT that tunnels C2 through legitimate Microsoft Teams TURN relays via QUIC, making all C2 traffic appear as Teams collaboration traffic. First known abuse of TURN relay infrastructure for C2.
What’s New:
- Symantec disclosed June 16; first documented TURN relay C2 abuse
- Attacker persisted 1-2 months undetected in major U.S. services firm
- Backdoor injected into legitimate DbgView64.exe process
- Polymorphic builds (varying Go build tags) defeat hash-based detection
- Capabilities: command exec, AD/LDAP recon, credential theft, lateral movement
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
048e18416177de2ead251abdf4d89837f6807c6aba4d5b1debe49adfdecbf05c | SHA-256 (Backdoor.Turn) | T1071.001 | EDR | Block/alert |
ce66b8221446c9b6d83f0ce6382f430e519601641e5daaaf1ca7a8a8806cb0b0 | SHA-256 (Shellcode) | T1055 | EDR | Block/alert |
b6628d201c2a68d2a3de2a87de7a5acfe21b101a97928e1c8d5c82102d967383 | SHA-256 (GameDriverx64 vuln driver) | T1068 | EDR / driver load logs | Block BYOVD |
TeamsMediaRelay service name | Registry artifact | T1543.003 | Windows System event log / Sysmon EID 13 | Alert on service creation outside change mgmt |
msimg32.dll outside C:\Windows\System32 | DLL sideload | T1574.001 | Sysmon EID 7 / EDR DLL load | Alert on non-system path |
| Anonymous Teams visitor token request | Auth abuse | T1078.004 | Azure AD sign-in logs | Hunt for anomalous Teams visitor auth |
| QUIC connections to Teams TURN relay IPs | C2 channel | T1572 | NDR / firewall | Baseline Teams TURN; alert deviations |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Teams TURN relay C2 detection; no TeamsMediaRelay service creation rule |
| Elastic | Suspicious DLL Loaded via Side-Loading (generic) | No Backdoor.Turn-specific rule; no TURN relay anomaly detection |
| Sigma | None | Need: service creation for TeamsMediaRelay; msimg32.dll sideload outside System32; QUIC to TURN relay anomaly |
Sources: Symantec/SECURITY.COM · The Hacker News · BleepingComputer · Help Net Security
Status Updates
- CVE-2026-20253 (Splunk Enterprise): CISA KEV federal deadline passed June 21. Active ITW exploitation ongoing. No workarounds — patch to 10.4.0/10.2.4/10.0.7. Original brief.
- CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED zero-day. Microsoft confirmed working on patch since June 16. WDAC/AppLocker remains primary mitigation. Original brief.
- FortiBleed Campaign: CISA advisory issued June 18. Count at 86,644 compromised FortiGate devices across 194 countries. Reset all VPN/admin credentials immediately. Original brief.