← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Q1 2026 Malware Statistics Report for Windows Database Servers
WHITE Larva-26002 AlienVault 2026-04-14 Modified: 2026-04-14
13
IOCs
MEDIUM VOLUME
During the first quarter of 2026, Windows-based MS-SQL and MySQL database servers experienced consistent malicious attacks with a temporary decrease in February before rising again in March. The primary threat actor, Larva-26002, leveraged various utilities including BCP, curl, bitsadmin, and PowerShell to deploy a Go-based scanner called ICE Cloud, which contained Turkish language strings and C&C-based scanning capabilities. This tool attempted MS-SQL authentication using predefined credentials. Attack methods primarily consisted of brute force attacks, dictionary attacks, and exploitation of unpatched systems with misconfigured accounts stemming from inadequate account management practices.
dictionary attackbrute forcescannerloveminergh0stratdatabase serversshadowforcemysqlcoinminerice cloudcredential stuffingjuicypotatoclrshellnetcatmykingsms-sql
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
ICE Cloud Gh0stRAT CLRShell CoinMiner LoveMiner MyKings Shadowforce JuicyPotato Netcat
Indicators of Compromise (5 / 13 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0a9f2e2ff98e9f19428da79680e80b77 2026-04-14
FileHash-MD5 28847cb6859b8239f59cbf2b8f194770 2026-04-14
FileHash-MD5 5200410ec674184707b731b697154522 2026-04-14
FileHash-MD5 7fbbf16256c7c89d952fee47b70ea759 2026-04-14
FileHash-MD5 89bf428b2d9214a66e2ea78623e8b5c9 2026-04-14
References (1)
↗ https://asec.ahnlab.com/en/93333/