Cyber Threat Actor: Mr Brean

Mr Brean is an alias used by a threat actor who has been publicly linked to the Icarus group, a loosely defined collection of cybercriminals noted for carrying out supply‑chain compromises and data‑theft operations. The actor first came to attention in mid‑2026 when threat actors compromised the backend infrastructure of Klue, a competitive‑intelligence platform, and pushed a malicious update designed to harvest OAuth tokens from the service’s various integrations. This Klue incident was reported by multiple security outlets and involved the unauthorized access to customer data stored in third‑party SaaS applications. The actor’s association with the Icarus group was explicitly mentioned in the extortion communications sent to victims, indicating a collaborative or affiliated relationship rather than a solitary operation. No public attributions to a nation‑state sponsor or a larger criminal consortium have been made beyond the Icarus reference. The actor’s known activity is limited to the described supply‑chain chain, with no additional malware families or toolsets disclosed in the available reporting.

The targeting observed in the Klue breach focused on companies that rely on Klue’s platform for market intelligence, specifically affecting cybersecurity firms such as Huntress and Recorded Future, which were identified as customers whose Salesforce data was accessed. The strategic objective demonstrated by the actor appears to be financial gain, as Huntress reported receiving extortion demands after the data theft, and the actor’s leak site displayed purportedly exfiltrated Salesforce information to pressure victims into payment. The actor’s tactics involved gaining initial access through the compromise of Klue’s backend servers, followed by the deployment of a malicious update that intercepted OAuth tokens for integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive and Slack. Once the tokens were harvested, the actor used the Salesforce REST API to query and extract large volumes of CRM data, including business contacts, price quotes and sales‑related information, while avoiding deeper intrusion into the victims’ internal networks. No specific malware families or custom tools were referenced in the public accounts, with the emphasis placed on abuse of legitimate API access and token theft.

The Klue supply‑chain attack of June 11 2026 represents the most detailed and publicly reported operation attributed to Mr Brean, illustrating a pattern of exploiting trusted third‑party services to reach downstream targets and leveraging stolen data for extortion. The incident resulted in Klue revoking the compromised OAuth tokens, disabling connections to the affected platforms, and Salesforce subsequently disabling the Klue Battlecards app after detecting anomalous API activity. While the breach was confined to the Klue‑Salesforce linkage and did not extend to the internal systems of Huntress or Recorded Future, the extortion attempts highlighted the actor’s willingness to monetize accessed data directly. No further campaigns or additional victim sectors have been documented in the open sources available to date. The profile therefore reflects only the confirmed facts surrounding Mr Brean’s alias, affiliation with the Icarus group, observed targeting of SaaS‑integrated cybersecurity firms, the token‑harvesting and API‑abuse TTPs, and the singular Klue‑based operation that produced both data theft and extortion demands.