Statistics Report on Malware Targeting Windows Database Servers in Q1 2026
Description.
analysis of ASEC’s ASD logs for Q1 2026 showed a consistent trend of attacks against MS-SQL and MySQL. the number of attacks tended to decrease temporarily in February before increasing again in March.
Purpose and Scope.
this report summarizes the statistics of attacks targeting MS-SQL and MySQL servers installed on Windows and the malware used based on ASD logs for the first quarter of 2026.
Key statistics.
- in Q1 2026, among the attacks targeting MS-SQL servers, we observed a case of Larva-26002 threat actor installing ICE Cloud scanner. The Larva-26002 threat actor has previously distributed the Trigona and Mimic ransomware, and has since seized control of infected systems and installed scanners. in the latest confirmed attack, the scanner malware ICE Cloud Client, written in Go language, is being used.
- as in previous cases, the threat actors attacked a mismanaged MS-SQL server and exploited BCP to create malware. the final installation of the scanner malware is the same, except that it uses a scanner named ICE Cloud, which was recently written in Go language. The strings used in ICE Cloud are Turkish, which is also known to have been used by threat actors in the Mimic ransomware attack in the past.
Conclusion.
the main attack techniques are brute force and dictionary attacks and exploitation of unpatched and misconfigured accounts due to improper account management. recommendations include making account passwords difficult to guess and changing them regularly. database servers should be kept up to date with the latest patches and external public services should be access controlled with firewalls. reduce the attack surface by minimizing unnecessary extensions and remote command execution capabilities.
