Statistics Report on Malware Targeting Windows Database Servers in Q2 2025
Overview
The AhnLab SEcurity intelligence Center (ASEC) analysis team uses the AhnLab Smart Defense (ASD) infrastructure to categorize and respond to attacks targeting Windows-based MS-SQL and MySQL servers. This report will cover the current state of damage to MS-SQL and MySQL servers that became attack targets based on the logs discovered in Q2 2025, and also discuss statistics on the attacks launched against said servers. Furthermore, malware used in each attack will be categorized with a summary of the statistical details.
Statistics
1. Status of Attacks on Windows Database Servers
The following statistics are based on the ASD logs for MS-SQL server-targeted attacks confirmed during the second quarter of 2025. While the number of systems being targeted remains relatively consistent, the total number of attacks has been steadily decreasing in recent months.
Figure 1. Attacks against MS-SQL servers in Q2 2025
The following statistics are based on the ASD logs for MySQL server-targeted attacks confirmed during the second quarter of 2025. Overall, the number of attack logs remains relatively consistent, but a notable spike in activity occurred in June 2025.
Figure 2. Attacks against MySQL servers in Q2 2025
The “Damage status” indicates the quantity of systems that have become targets of malware or threat actors. In other words, these are systems where the database server has been confirmed as compromised to facilitate malware installation. Attacks that target servers include vulnerability attacks against environments that do not have the necessary security patches applied, attacks against inappropriately set-up environments, and attacks against poorly managed servers. Inappropriately managed environments include the use of vulnerable account credentials, which are at risk of brute force or dictionary attacks. If a successful login occurs on inadequately managed systems, the malware or threat actor can gain control over those systems.
The “Attack status” shows the number of times threat actors or malware attacked the system. For reference, these vulnerable database servers generally become the target of multiple threat actors and malware, and consequently they tend to reveal infection logs from a variety of malware simultaneously.
