Statistics Report on Malware Targeting Windows Database Servers in Q3 2025
AhnLab SEcurity intelligence Center (ASEC) utilizes the AhnLab Smart Defense (ASD) to categorize and respond to attacks targeting Windows-based MS-SQL and MySQL servers. This report will cover the current state of damage to MS-SQL and MySQL servers that became attack targets based on the logs discovered in the third quarter of 2025, and also discuss statistics on the attacks launched against said servers. Furthermore, malware used in each attack will be categorized with a summary of the statistical details.
1. Status of Attacks On Windows Database Servers
The following are statistics on attacks targeting MS-SQL servers in the third quarter of 2025, as observed through AhnLab Smart Defense (ASD) logs. The number of systems being targeted and the attack volume are both decreasing.
Figure 1. The status of attacks targeting MS-SQL Server in the 3rd quarter of 2025
The types of malware used in the attacks are mostly CLRShell, which is exploited to execute the threat actor’s commands, and Potato-type malware, which is responsible for privilege escalation. However, there are also cases where CoinMiner is used to hijack the resources of infected systems for cryptocurrency mining, and Proxyware is used to share a portion of the available Internet bandwidth externally for profit. There are also cases where backdoors such as Gh0stRAT, CobaltStrike, and Meterpreter are installed to take control of infected systems. Recently, there have been cases where legitimate remote control applications such as AnyDesk and RustDesk were installed in addition to these backdoors.
2. Attacks in the Q3 of 2025
In the third quarter of 2025, an attack case using XiebroC2 among attacks targeting the MS-SQL server was covered. XiebroC2 is an open-source C2 framework that supports various features such as data collection, remote control, and defense evasion, similar to CobaltStrike.
The affected system is exposed externally and is suspected to be using weak credentials. Various malware installation attempts have been confirmed on this system, and coin miners are mostly found as in other cases of attacks on MS-SQL servers.
After successfully logging in with the SA account, the threat actor installed JuicyPotato. Note that even if the processes responsible for the names in MS-SQL services could execute the threat actor’s commands due to vulnerabilities or inappropriate configurations, the processes are executed with low privileges by default, so the malware executed with the permission of the processes has limitations on performing additional malicious behaviors. Accordingly, threat actors often use the Potato malware. This type of malware escalates privileges by exploiting specific permissions of tokens belonging to the account of a running process.
After installing JuicyPotato, the threat actor used PowerShell to download XiebroC2.
Figure 2. MS-SQL service downloading XiebroC2
XiebroC2 is a C2 framework similar to CobaltStrike, and its source code is publicly available. The Implant, which is responsible for the actual backdoor features, is written in Go and supports multiple platforms, including Windows, Linux, and macOS. Threat actors can use XiebroC2 installed on infected systems to access features such as reverse shells, file and process management, remote control and reverse proxy, network monitoring, and screenshots.
Figure 3. XiebroC2 panel (GitHub)
XiebroC2 contains the following form of configuration information. After execution, it can collect information such as PID, HWID, computer name, and user name, and then connect to the C&C server to execute commands from the threat actor.
- HostPort = “1.94.185[.]235:8433
- Protocol = “Session/Reverse_Ws
- ListenerName = “test2
- AesKey = “QWERt_CSDMAHUATW
※ For more information, please refer to the attachment.
