top of page
Search

Icarus Used Australian Retail Domains to Exfiltrate Data From LastPass, HackerOne, and Huntress. The Domains Are Now in Our Feed.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 7m
  • 2 min read

Yesterday we wrote about Icarus and the Klue supply chain breach that exposed Salesforce CRM data for LastPass, HackerOne, Huntress, Recorded Future, Tanium, Jamf, Snyk, and others.


Today we have the indicators.



The Phishing Infrastructure


LastPass published its incident disclosure today. The disclosure includes the sender domains Icarus used to deliver extortion demands and exfiltrate contact. All three are compromised legitimate Australian retail domains — not purpose-registered attacker infrastructure:


  • baccarat.com.au

  • robinskitchen.com.au

  • house.com.au

Klue's incident notification includes a non-exhaustive list of IP addresses from which the threat actor is known to have accessed sensitive information. Those IPs belong to ISPs in the Netherlands, France, and Ukraine — consistent with the Icarus infrastructure profile we documented in our original Klue post and consistent with the block_events data we analyzed yesterday, which showed elevated traffic from NL and FR in the same window.


All three phishing domains are now indexed in our IOC corpus and flowing into the STIX feed.



What This Means for Detection


The compromised-legitimate-domain technique is deliberate. Purpose-registered phishing domains get flagged by reputation feeds immediately. A domain like baccarat.com.au — an Australian retail business with legitimate history, legitimate web presence, legitimate certificate — does not trigger those alerts. Defenders checking email sender reputation against blocklists will not catch this.


  • Outbound SMTP from domains with .com.au TLD and no prior relationship

  • Email content patterns consistent with extortion demands

  • Session Messenger as the requested contact method (Icarus consistently uses Session for negotiations)

  • Geographic anomaly: inbound connections from NL/FR/UA IP ranges to Salesforce environments, especially if those ranges are not in the normal access pattern for the organization


The Victim List Context


The organizations hit by Icarus via Klue are themselves significant security actors. Huntress is an MDR provider. HackerOne runs a vulnerability disclosure platform. Recorded Future is a threat intelligence company. Snyk is a developer security platform. These are not organizations with naive security postures.


The entry point — a compromised legacy credential for a SaaS integration service — bypassed every technical control those organizations run. It got in through the trusted third-party relationship, not through their perimeters.


The IOCs are in the feed. If you are a LastPass, HackerOne, Huntress, Recorded Future, Tanium, Jamf, or Snyk customer and you want to know whether the Icarus actor cluster has appeared in your environment, the enrichment API will tell you:



GET https://analytics.dugganusa.com/api/v1/threat-intel/enrichment?indicator=baccarat.com.au
Authorization: Bearer your_key







The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.


bottom of page