← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Attack case against MS-SQL server installing ICE Cloud scanner (Larva-26002)
WHITE Larva-26002 PetrP.73 2026-03-23 Modified: 2026-03-23
10
IOCs
LOW VOLUME
The Larva-26002 threat actor has been active in targeting mismanaged MS-SQL servers, exploiting vulnerabilities associated with the Bulk Copy Program (BCP) utility. This group is known for deploying various strains of ransomware, including Trigona and Mimic, and has evolved its tactics and tools over time. In 2026, they have notably adopted a Go language-written malware named ICE Cloud Client, a scanner designed to facilitate further malicious activities.
mssqltrigonamimicice cloudcloud clientbitsadminanydeskcloudcurlclientteramindrust
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (10)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0a9f2e2ff98e9f19428da79680e80b77 2026-03-23
FileHash-MD5 28847cb6859b8239f59cbf2b8f194770 2026-03-23
FileHash-MD5 5200410ec674184707b731b697154522 2026-03-23
FileHash-MD5 7fbbf16256c7c89d952fee47b70ea759 2026-03-23
FileHash-MD5 89bf428b2d9214a66e2ea78623e8b5c9 2026-03-23
FileHash-SHA1 c031af92131cc5cef0be6fcb0804c2a84b976177 SHA1 of 89bf428b2d9214a66e2ea78623e8b5c9 2026-03-23
FileHash-SHA256 9084885412af5ae242082869ebb204bcc855db4216bda0b399d06097d193aab9 SHA256 of 89bf428b2d9214a66e2ea78623e8b5c9 2026-03-23
IPv4 109.205.211.13 CC=NL ASN=ASNone 2026-03-23
URL http://109.205.211.13/api.xn--exe-9o0a 2026-03-23
domain hostroids.com 2026-03-23
References (1)
↗ https://asec.ahnlab.com/ko/92987/