[weglot_switcher]
Cybercrime update graphic showing ShinyHunters and criminal forums trends.

The Klue Breach, SocGholish Cleanup, and AI Cybercrime Slop

Table of Contents

Check your exposure

June brought another NHI-led supply chain attack, a major law enforcement disruption of long-running malware infrastructure, and some unexpected comedy from threat actors wrestling with AI hallucinations. In this month’s wrap-up we cover:

Plus, in case you missed it, we also link to our deep dives on:

Let’s get into it!

Icarus ransomware group compromises Klue and their customers

On June 17, Salesforce published an advisory stating that, due to a recent security incident, they proactively disabled all connections between customer Salesforce instances and the Klue Battlecards app, a third-party sales tool that can integrate with Salesforce. On June 18, details of the incident started to become clearer; Klue stated that attackers had gained access to Klue’s integrations infrastructure and used that access to exfiltrate customer data.

The next day, a relatively new ransomware group called Icarus named Klue as a victim on their data leak site (DLS), promising to leak the data if Klue did not pay them a ransom. They also advised “the companies who want to protect their data to contact us via Session” – appealing to Klue’s impacted customers directly. Icarus also posted data from some of the impacted organizations including the cybersecurity company Huntress, to their DLS on June 22.

SpyCloud breach and cybersecurity data analysis image.

Initial shame post from June 19 naming Klue as a victim on the Icarus data leak site.

Then on June 23 and into June 24, Klue told their customers that they had reached an agreement with Icarus to delete the data. At this point, it seems that there was some disagreement among the involved threat actors. According to Klue, Icarus told them that a second group of hackers affiliated with Icarus (who had access to at least some of the exfiltrated data) had gone rogue and were attempting to now extort Klue’s customers directly. This was despite the fact that Klue already had an agreement with the threat actor who had told them they were “taking steps to delete the data.” 

At the time of writing, the Icarus DLS remains offline. Unpredictability of criminal threat actors, as in this scenario, is why many cybersecurity experts discourage victims of data-theft extortion attacks from paying a ransom. 

This is yet another instance of a supply chain compromise aimed at stealing customer cloud service tokens (OAuth access and refresh tokens for Salesforce) and exfiltrating their data. As Reliaquest pointed out in their write-up on the incident, this compromise follows the same attack chain as the Salesloft Drift incident from last August and the Gainsight incident in November. In all three incidents, the attackers compromised environments of third-party applications commonly integrated with Salesforce, the world’s largest customer relationship management (CRM) cloud service provider. They then abused the trust relationship between the applications to access data that customers using the compromised third-party integrations had stored in Salesforce. Non-human identities – digital identities for a machine, application, service, or automated process such as service accounts, API keys, OAuth tokens, certificates, and SSH keys – are an important and increasingly targeted attack surface.

In a follow-on statement about the incident, Huntress noted that the exfiltrated data itself was less significant than initially feared, mostly system information and service logs.

Operation Endgame disrupts SocGholish, Amadey, and StealC malware

On June 24, EUROPOL announced enforcement actions against three malware families:

The most unique aspect of this disruption was the operation’s method of cleaning up SocGholish’s distribution infrastructure. SocGholish’s operators compromised legitimate WordPress-based websites, and used them to show visitors fake browser update prompts. When a victim clicked the prompt, they would download a malicious JScript payload instead. SocGholish infections have been documented as the initial access mechanism in a variety of ransomware incidents, including by the LockBit and Hades ransomware groups. 

As part of the disruption action, the law enforcement agencies involved in Operation Endgame actually actively cleaned 14.9K infected WordPress sites that were distributing the malware. They also notified these website owners, encouraging them to patch their sites and strengthen their login credentials. It’s rare for law enforcement actions to actually remediate computer compromises in victim environments, but this action is an encouraging sign that law enforcement agencies are willing to take more aggressive steps to disrupt key cybercrime enablement services.

Keep an eye out for SpyCloud’s upcoming analysis of the StealC takedown and how it impacted the infostealer market.

AI slop annoys cybercriminals, too

Large language models (LLMs) have undoubtedly made certain aspects of cybercrime faster and easier, including assisting actors in more efficiently socially engineering victims and speeding up malware coding development.

However, e-crime actors are also plagued by the rise in AI slop, which can make it more difficult and time-consuming for threat actors to find and analyze quality stolen data. In June, we observed two interesting examples of this phenomenon:

01

SLSH issues a retraction about hallucinated exfil data:

 SLSH – a data-theft extortion group linked to the Com –  apparently acted on an AI hallucination (a slang term for when a LLM output contains nonfactual information) earlier this month. After using an LLM to summarize the 3.1TB of data that they had exfiltrated from the National Association of Insurance Commissioners (naic.org). The practice of using LLMs to quickly summarize large volumes of breached data is becoming more popular with threat actors in general. For example, the Titan Ransomware group has adopted a unique practice of posting a clearly AI-generated analysis of each of their breached datasets that highlights the most sensitive files in each of their breaches which they post directly to their data leak site alongside the data download links. SLSH seems to have realized and rectified the LLM’s error, updating their post and writing “the previous statement was overstated due to an analytical error and an AI-generated misinterpretation of the underlying data.”

SpyCloud cybersecurity platform showing data review and download options.
SpyCloud cybersecurity image showing data breach and threat detection.
NAIC cybersecurity platform with AWS logs and SQL scripts for data security.
Cybersecurity dashboard showing data breach and threat detection metrics.

Statement on the SLSH DLS in which the group retracted their previous analysis of the National Association of Insurance Commissioners breach.

02

Criminal complains about buying bogus data breaches

On DarkForums, a user going by the handle alina posted a complaint in all caps accusing a group of actors called Exilados #555 of scamming them by selling them three datasets filled with people that “DO NOT ACTUALLY EXIST.” In the post, they also state that Exilados even admitted to them that the databases were fake. In retaliation for being scammed, alina also leaked the three datasets that they purchased, all of which they accuse of containing fabricated AI-generated data. w1nter, the account that originally posted the first listed dataset for sale (and apparently a member of the Exilados group) currently has a reputation score of -10 on the forum. The individuals listed in the sample data associated with this alleged Judiciary of Mexico breach indeed appear to not exist. alina eloquently ends this post with “SCAMMERS SCAMMERS SCAMMERS SCAMMERS SCAMMERS SCAMMERS SCAMMERS SCAMMERS SCAMMERS SCAMMERS SCAMMERS SCAMMERS.”
Illustration of data breach and cybersecurity threats with digital security icons.
DarkForums post by alina accusing Exilados of selling them fabricated data.
Cybersecurity threat report with data on breaches and cybercrime trends.
Account reputation for w1nter, one of the Exilados members who appears to have sold fabricated data to alina. A different forum member appears to have negatively reviewed the w1nter account directly, calling them a scammer.

Other research insights from SpyCloud Labs

SpyCloud Labs analyzed the media-dubbed “FortiBleed” leak and found that initial reports left some key information out. See what we found after parsing and analyzing the data to understand the full impact.

Attackers are finding new ways to make MFA irrelevant, and device code phishing is their latest weapon. This adversary-in-the-middle (AiTM) technique exploits the legitimate OAuth 2.0 Device Authorization Grant flow, tricking users into entering an attacker-generated code that issues active session tokens directly to the attacker’s device. Here’s what you need to know.

Recaptured data numbers for June 2026

June monthly total

Total New Recaptured Data Records for June:
2,908,666,689

New third-party breach data this month

Third-Party Breaches Parsed and Ingested:
3,546
New Data Records from Third-Party Breaches:
1,577,384,273

New recaptured phished data this month

New Phished Data Records:
6,399,928

New infostealer malware data this month

Stealer Logs Parsed and Ingested:
8,176,637
New Data Records from Stealer Infections:
256,168,473
New Stolen Cookie Records:
1,075,113,943

Discover what cybercriminals know about your business and your customers – and how to prevent targeted attacks with SpyCloud.

Keep reading

SpyCloud logo with FortiBleed threat actor infrastructure background.
More Than a Leak: What SpyCloud Found Inside the FortiBleed Threat Actor Infrastructure
SpyCloud Labs analyzed the media-dubbed “FortiBleed” leak and found that initial reports left some key information out. See what we found after parsing and analyzing the data to understand the full impact.
Kali365 PhaaS kit overview for cybersecurity and threat detection.
Kali365: Anatomy of a Microsoft 365 Phishing-as-a-Service Kit – From Telegram Hype to FBI Takedown Theater
SpyCloud researchers dissect Kali365, a Telegram-sold phishing-as-a-service kit targeting Microsoft 365. Using device-code and adversary-in-the-middle phishing, it steals OAuth tokens and session cookies to bypass MFA – then staged a fake FBI "shutdown" while operations continued. Here's how the kit works, who it targets, and why password resets won't stop it.
Cybercrime update graphic showing ShinyHunters and criminal forums trends.
Cybercriminals Create New Forums and Interrupt School Finals
Read on for the latest from the criminal underground, including threat actor & forum activity, the Canvas breach, device code phishing trends, and what to know about Google Chrome DBSC.

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

Research Agent is now available: Close cases in minutes with agentic investigations

X