MS-SQL Servers Under Persistent Threat by ICE Cloud Scanner

A sophisticated cyber threat actor, identified as Larva-26002, is relentlessly targeting inadequately secured Microsoft SQL (MS-SQL) servers. This time, they are deploying a novel malware known as ICE Cloud Client.

Ongoing Campaign and Evolution

Since January 2024, this campaign has persisted, evolving continually with each phase. Initially focused on ransomware attacks, the group has shifted towards extensive scanning of vulnerable database systems. The campaign has been active and adapting through 2026, consistently upgrading its tools.

In early 2024, Larva-26002 made its initial impact by deploying ransomware like Trigona and Mimic on MS-SQL servers with weak passwords. The attackers used the Bulk Copy Program (BCP), a legitimate MS-SQL feature, to transfer malware onto compromised systems.

Transition to Advanced Scanning Techniques

Alongside BCP, tools such as AnyDesk were installed to facilitate remote access, and port forwarding for RDP was enabled. By 2025, the group had incorporated Teramind, a remote monitoring tool, and transitioned to a Rust-based scanner.

In 2026, analysts identified a renewed attack wave where the same threat actor targeted previously compromised MS-SQL servers. This time, they employed ICE Cloud, a scanner malware written in Go, marking a shift from their 2025 Rust-based approach. The malware’s binary strings, written in Turkish, establish a connection to the 2024 Mimic ransomware attacks.

Implications and Prevention Measures

The campaign’s shift from ransomware to scanning poses significant concerns. By amassing compromised servers to probe for weak credentials, the attackers are potentially laying the groundwork for a larger operation. Data collected is sent to the attacker’s command and control (C&C) server, providing insight into exposed database assets globally.

The incursion begins when Larva-26002 identifies an exposed MS-SQL server with poor password protocols. After initial access through brute force or dictionary attacks, they execute system commands to assess the host and create malware using the BCP utility. This involves exporting a malicious binary to a local path, a tactic unchanged since 2024.

Defensive Strategies for Administrators

Database administrators need to ensure robust, complex passwords for all MS-SQL accounts, with regular updates to prevent unauthorized access. Servers exposed to the internet should be secured behind firewalls with restricted access. Maintaining updated endpoint security software is crucial to intercept known malware before it executes.

Monitoring for unusual BCP activity, unexpected files like api.exe in C:ProgramData, and unrecognized outbound connections can indicate potential compromises requiring immediate investigation.

Stay connected with us on Google News, LinkedIn, and X for the latest updates. Set CSN as a preferred source in Google for more insights.