{
	"id": "90d2bd18-5e7c-49c0-8e6e-144c4373e0e6",
	"created_at": "2026-04-06T00:10:22.320546Z",
	"updated_at": "2026-04-10T03:35:21.41242Z",
	"deleted_at": null,
	"sha1_hash": "94728098c4d10e32fc8427cee58e7152ab4811dc",
	"title": "MSSQL, meet Maggie",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 672117,
	"plain_text": "MSSQL, meet Maggie\r\nBy DCSO CyTec Blog\r\nPublished: 2022-11-08 · Archived: 2026-04-05 21:52:09 UTC\r\n6 min read\r\nOct 4, 2022\r\nPress enter or click to view image in full size\r\nHeatmap of Maggie backdoor user by country\r\nContinuing our monitoring of signed binaries, DCSO CyTec recently found a novel backdoor malware targeting\r\nMicrosoft SQL servers.\r\nThe malware comes in form of an “Extended Stored Procedure” DLL, a special type of extension used by\r\nMicrosoft SQL servers. Once loaded into a server by an attacker, it is controlled solely using SQL queries and\r\noffers a variety of functionality to run commands, interact with files and function as a network bridge head into\r\nthe environment of the infected server.\r\nIn addition, the backdoor has capabilities to bruteforce logins to other MSSQL servers while adding a special\r\nhardcoded backdoor user in the case of successfully bruteforcing admin logins. Based on this finding, we\r\nidentified over 250 servers affected worldwide, with a clear focus on the Asia-Pacific region.\r\nBased on artifacts found in the malware, DCSO CyTec calls this novel threat “Maggie”.\r\nhttps://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\r\nPage 1 of 8\n\nIn our follow-up post “Tracking down Maggie” we also provide practical tips on how to detect Maggie in your\r\nenvironment.\r\nBlog authored by Johann Aydinbas and Axel Wauer\r\nDiscovery\r\nWhile looking for new threats, a file caught our attention. Detected as APT_ShadowForce_Malware_ON_Nov17_1 by\r\nTHOR and with a matching AV detection by AhnLab-V3 as Trojan/Win.ShadowForce.R472810 we decided to\r\ntake a closer look.\r\nPress enter or click to view image in full size\r\nTHOR detection on VirusTotal\r\nThe DLL file is signed by DEEPSoft Co., Ltd. on 2022–04–12. According to its export directory, the file calls\r\nitself sqlmaggieAntiVirus_64.dll and only offers a single export called maggie .\r\nPress enter or click to view image in full size\r\nDLL export in IDA\r\nExtended Stored Procedures\r\nCloser inspection revealed this DLL to be an Extended Stored Procedure .\r\nExtended Stored Procedures are a way to offer extended functionality to SQL queries for use in an MSSQL server,\r\nsimilar to the infamous xp_cmdshell stored procedure, which allows SQL queries to run shell commands.\r\nESPs are common DLL files using a simplistic API. When executed, ESPs are passed a handle to the client\r\nconnection which allows them to fetch user-supplied arguments (via srv_paramdata) and return unstructured data\r\nto the caller (via srv_sendmsg).\r\nhttps://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\r\nPage 2 of 8\n\nMaggie utilizes this message-passing interface to implement a fully functional backdoor controlled only using\r\nSQL queries.\r\nIn order to install Maggie, an attacker has to be able to place an ESP file in a directory accessible by the MSSQL\r\nserver, and has to have valid credentials to load the Maggie ESP into the server. It is unclear how an actual attack\r\nwith Maggie is performed in the real-world.\r\nAfter manually loading Maggie with\r\nsp_addextendedproc maggie, '\u003cpath to DLL\u003e';\r\nan authenticated user could start to issue commands to the backdoor via SQL queries, e.g. to call the whoami\r\nshell command:\r\n$ exec maggie 'Exec whoami';\r\nMSSQL Procedure 04/08/2022\r\nExecute Command: Exec whoami\r\nExecuting whoami Successfully\r\nnt service\\mssqlserver\r\nCommands\r\nOnce installed, Maggie offers a variety of commands to query for system information, interact with files and\r\nfolders, execute programs as well as various network-related functionality like enabling TermService, running a\r\nSocks5 proxy server or setting up port forwarding to make Maggie act as a bridge head into the server’s network\r\nenvironment.\r\nThe full list of commands we have identified:\r\nList of commands available in Maggie\r\nCommands can take multiple arguments, separated by spaces. For some commands, Maggie even includes usage\r\ninstructions:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\r\nPage 3 of 8\n\nUsage instructions for SqlScan command\r\nMaggie as a network bridge head\r\nMaggie contains functionality for simple TCP redirection, allowing it to function as a network bridge head from\r\nthe Internet to any IP address reachable by the infected MSSQL server.\r\nWhen enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a\r\npreviously set IP and port, if the source IP address matches a user-specified IP mask. The implementation enables\r\nport reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the\r\nserver without any interference or knowledge of Maggie.\r\nFor this to work, StartHook instructs Maggie to install network API hooks for the following functions:\r\naccept\r\nAcceptEx\r\nWSAAccept\r\nsetsockopt\r\nCreateIoCompletionPort\r\nallowing Maggie to intercept connections before reaching the underlying services.\r\nGet DCSO CyTec Blog’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe redirection setup can be controlled using the SetClientData command with\r\nSetClientData \u003callowed IP mask\u003e \u003cdestination IP\u003e \u003cdestination port\u003e\r\nin order to enable redirection for the given IP mask (can end with ‘*’ wildcard) to the specified IP and port.\r\nOnce finished, an attacker can simply disable the IP redirection feature using StopHook again.\r\nIn addition, Maggie contains SOCKS5 proxy functionality for more complex network operations.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\r\nPage 4 of 8\n\nDebug messages for SOCKS5 functionality\r\nThe unknown Exploit commands\r\nMaggie’s command list includes four commands that suggest exploit usage:\r\nExploit AddUser\r\nExploit Run\r\nExploit Clone\r\nExploit TS\r\nIt appears that the actual implementation of all four exploit commands depends on a DLL not included with\r\nMaggie directly. Instead, the caller provides a DLL name as well as an additional parameter when calling each\r\nfunction. We therefore assume the caller manually uploads the exploit DLL prior to issuing any exploit\r\ncommands.\r\nMaggie would then load the user-specified DLL, look for an export named either StartPrinter or\r\nProcessCommand (depending on the exact command used) and pass the user-supplied argument.\r\nWe were not able to dig up any potential candidate DLLs Maggie might be referencing during our research so it’s\r\nunclear what specific exploit may be utilized here.\r\nSQL bruteforcing and the curious Maggie backdoor user\r\nMaggie’s command set also includes two commands that allow it to bruteforce logins to other MSSQL servers:\r\nSqlScan\r\nWinSockScan\r\nTo start a bruteforce scan, the controller would have to specify a host, user and password list file previously\r\nuploaded to the infected server, as well as an optional thread count. Maggie then creates every combination of\r\n(host,user,pass) and attempts to log in via SQL using ODBC, or a reimplementation only using basic socket\r\nfunctions in the case of WinSockScan .\r\nSuccessful logins are written to a hardcoded log file, which can be in one of two locations:\r\nhttps://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\r\nPage 5 of 8\n\nC:\\ProgramData\\success.dat\r\n\u003cMAGGIE_LOCATION\u003e\\success.dat\r\nMaggie then tries to determine if the bruteforced login has admin rights. In case it successfully bruteforced an\r\nadmin user, Maggie proceeds with adding a hardcoded backdoor user.\r\nBased on this finding, DCSO CyTec conducted a scan on publicly reachable MSSQL servers in order to determine\r\nhow prevalent the identified backdoor user is.\r\nOut of approximately 600,000 scanned servers worldwide, we identified 285 servers infected with Maggie’s\r\nbackdoor user, spread over 42 countries.\r\nPress enter or click to view image in full size\r\nHeatmap of backdoor user by country\r\nThe distribution shows a clear focus on the Asia-Pacific region, with South Korea, India and Vietnam as top 3\r\nfollowed by China and Taiwan in the fourth and fifth place. Other countries appear to be incidental.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\r\nPage 6 of 8\n\nPrevalence of backdoor user by country\r\nA logical next step would be to see if and how the affected servers are being utilized, which however goes beyond\r\nthe scope of our analysis.\r\nIoCs\r\nAs usual, you can find below IoCs in the form of a MISP event on our GitHub.\r\nMaggie ESP DLLs\r\nf29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14\r\na375ae44c8ecb158895356d1519fe374dc99c4c6b13f826529c71fb1d47095c3\r\neb7b33b436d034b2992c4f40082ba48c744d546daa3b49be8564f2c509bd80e9\r\n854bb57bbd22b64679b3574724fafd7f9de23f5f71365b1dd8757286cec87430RAR SFX with Maggie\r\n4311c24670172957b4b0fb7ca9898451878faeb5dcec75f7920f1f7ad339d958\r\nd0bc30c940b525e7307eca0df85f1d97060ccd4df5761c952811673bc21bc794ITW URLs\r\nhttp://58.180.56.28/sql64.dll\r\nhttp://106.251.252.83/sql64.dll\r\nhttp://183.111.148.147/sql64.dll\r\nhttp://xw.xxuz.com/VV61599.exe\r\nhttp://58.180.56.28/vv61599.exeHardcoded User-Agent\r\nMozilla/4.0 (compatible)File paths\r\nC:\\ProgramData\\Success.dat\r\nSuccess.dat\r\nFailure.dat\r\nAccessControl.Dat\r\nMITRE ATT\u0026CK\r\nhttps://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\r\nPage 7 of 8\n\nT1110 Brute Force\r\nT1090 Connection Proxy\r\nSource: https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\r\nhttps://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01"
	],
	"report_names": [
		"mssql-meet-maggie-898773df3b01"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434222,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94728098c4d10e32fc8427cee58e7152ab4811dc.pdf",
		"text": "https://archive.orkl.eu/94728098c4d10e32fc8427cee58e7152ab4811dc.txt",
		"img": "https://archive.orkl.eu/94728098c4d10e32fc8427cee58e7152ab4811dc.jpg"
	}
}