{ "name": "Q1 2026 Malware Statistics Report for Windows Database Servers", "slug": "q1-2026-malware-statistics-report-for-windows-database-servers", "description": "During the first quarter of 2026, Windows-based MS-SQL and MySQL database servers experienced consistent malicious attacks with a temporary decrease in February before rising again in March. The primary threat actor, Larva-26002, leveraged various utilities including BCP, curl, bitsadmin, and PowerShell to deploy a Go-based scanner called ICE Cloud, which contained Turkish language strings and C&C-based scanning capabilities. This tool attempted MS-SQL authentication using predefined credentials. Attack methods primarily consisted of brute force attacks, dictionary attacks, and exploitation of unpatched systems with misconfigured accounts stemming from inadequate account management practices.", "published": "2026-04-14T08:54:02.322000+00:00", "created_at": "2026-04-14T09:51:55.326000+00:00", "modified_at": "2026-04-14T07:51:55+00:00", "created_at_opencti": "2026-04-14T09:51:55.326000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "brute force", "clrshell", "coinminer", "credential stuffing", "database servers", "dictionary attack", "gh0strat", "ice cloud", "juicypotato", "loveminer", "ms-sql", "mykings", "mysql", "netcat", "scanner", "shadowforce" ], "tags": [ "2026-04-14", "brute-force", "clrshell", "coinminer", "credential stuffing", "database servers", "dictionary attack", "gh0strat", "ice cloud", "juicypotato", "loveminer", "ms-sql", "mykings", "mysql", "netcat", "scanner", "shadowforce" ], "related_entities": { "indicators": [ { "id": "00531fbf-c698-485a-b7eb-4b8c904cbf35", "name": "6130a96f19ab4e3af5dfaf16fef8d8c176d9cc508b0422032ef4c18a4b65ef19" }, { "id": "2692bd92-ba59-4a62-a491-e2493345d3f6", "name": "hostroids.com" }, { "id": "73e6bfd0-38f8-4741-bd6c-e07a4b6c24c2", "name": "109.205.211.13" }, { "id": "1d6d24da-ec80-49bd-86d0-4c69cdd89365", "name": "9084885412af5ae242082869ebb204bcc855db4216bda0b399d06097d193aab9" }, { "id": "fddbd848-1624-4b13-9c0a-ad901ecde97d", "name": "7ac9ea9f9d9a25c73d3267e7466cb0643f4e981bda36013ee9264feebe38b51c" } ], "intrusion_sets": [ { "id": "2980d1d1-7cce-4a6e-9036-5c919bfc2f8c", "name": "Larva-26002", "slug": "larva-26002" } ], "attack_patterns": [ { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "52279b3d-8158-4964-8c20-9094308fcd03", "name": "T1110.001" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "444de5e0-bd7f-4700-b700-26320057dd80", "name": "T1110" }, { "id": "6b5f1e68-aec7-4ea0-9777-62156da790a7", "name": "T1069" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "29398669-98ed-4766-9dac-f9632f7175ff", "name": "T1518" }, { "id": "8274b87e-d4ac-4116-9201-a65baf788e63", "name": "T1110.002" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099", "name": "T1098" }, { "id": "53c193a7-f726-4bd2-ae88-4019e2604adf", "name": "T1046" }, { "id": "19ce62bb-3faf-4d09-90b1-d82fce1ba8b0", "name": "T1136" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "195d9773-4de3-4f61-b94d-a2b53cb65608", "name": "T1021.001" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "malware": [ { "id": "4d63517d-a89b-49ca-a7e1-436534107d42", "name": "JuicyPotato", "slug": "juicypotato" }, { "id": "936ec9c4-eac8-4c01-852e-9e2838eb9fdc", "name": "Gh0stRAT", "slug": "gh0strat" }, { "id": "18a769c5-e003-4a57-8963-6df38f93ac04", "name": "Shadowforce", "slug": "shadowforce" }, { "id": "31e0a94f-165b-4e4d-8d16-d9aee976e5b0", "name": "LoveMiner", "slug": "loveminer" }, { "id": "bdec6ece-3838-4f4d-a58f-fea2b5989241", "name": "CoinMiner", "slug": "coinminer" }, { "id": "d02237b5-9300-4604-9b8c-50d461031bf9", "name": "MyKings", "slug": "mykings" }, { "id": "5424c047-3ff7-4260-b08f-8de7c01c5561", "name": "Netcat", "slug": "netcat" }, { "id": "76c5d00c-05d8-41d4-9dc7-faf17a129f66", "name": "ICE Cloud", "slug": "ice-cloud" }, { "id": "3409b27d-46d2-4407-b169-9820dc10fd52", "name": "CLRShell", "slug": "clrshell" } ], "observables": [ { "id": "73d412c8-d2a8-4b98-92f9-db196ed58513", "name": "hostroids.com" }, { "id": "e8ddc256-fdae-4fa6-a4c3-f4900298bf73", "name": "109.205.211.13" }, { "id": "", "name": "6130a96f19ab4e3af5dfaf16fef8d8c176d9cc508b0422032ef4c18a4b65ef19" }, { "id": "", "name": "9084885412af5ae242082869ebb204bcc855db4216bda0b399d06097d193aab9" }, { "id": "", "name": "7ac9ea9f9d9a25c73d3267e7466cb0643f4e981bda36013ee9264feebe38b51c" } ], "others": [ { "id": "", "name": "hostroids.com" } ] }, "external_refs": [ { "id": "fa28025c-b2ef-4853-b231-c6fdc7978bb4", "standard_id": "external-reference--6d12eae3-3730-5749-91af-fcf1c1c32adc", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://asec.ahnlab.com/en/93333/", "hash": null, "external_id": null, "created": "2026-04-14T09:51:52.198Z", "modified": "2026-04-14T09:51:52.198Z", "createdById": null }, { "id": "69bcea4d-b230-4fbb-81da-1ce0a0bfa587", "standard_id": "external-reference--d2d6ed11-2cc2-53a6-84b9-851563d79a96", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/69de00aae91f11a6bf2fbe68", "hash": null, "external_id": "69de00aae91f11a6bf2fbe68", "created": "2026-04-14T09:51:52.154Z", "modified": "2026-04-14T09:51:52.154Z", "createdById": null } ] }