Ddos 
ICE Cloud Launcher execution log | Image: ASEC
The AhnLab Security intelligence Center (ASEC) has issued a fresh warning regarding the persistent threat actor known as Larva-26002. In a detailed report released in 2026, researchers confirmed that this group is continuing its years-long campaign of targeting improperly managed MS-SQL servers, now deploying a sophisticated new scanner dubbed “ICE Cloud”.
The group, which gained notoriety in 2024 for distributing Trigona and Mimic ransomware, has evolved its toolkit from Rust-based scanners to a new generation of malware written in the Go language.
Since 2024, Larva-26002 has focused on MS-SQL servers exposed to the internet that use weak or default credentials. While their early attacks were characterized by the installation of AnyDesk for remote control and the exploitation of the Bulk Copy Program (BCP) utility to move malware, their 2026 tactics have become more streamlined.
As ASEC notes in the report: “The threat actor continued the attack in 2025, but in addition to AnyDesk, he used Teramind, an RMM tool, and a scanner built in Rust”.
By 2026, the attacker shifted to the ICE Cloud Client, a scanner that doubles as a brute-force tool.
The 2026 campaign utilizes a downloader—often named api.exe—which is delivered via BCP or common Windows tools like PowerShell, Curl, or Bitsadmin. This downloader pulls the “ICE Cloud Launcher,” which then connects to a Command and Control (C&C) server to retrieve the final “ICE Cloud Client”.
Technical Highlights of the New Malware:
- Language & Origin: The client is written in Go and contains Turkish strings, a trait previously seen in Mimic ransomware attacks.
- AI Integration: Interestingly, researchers found that “the emoticons used suggest that the author utilized generative AI” to craft parts of the binary.
- Targeting: Once registered with the C&C server, the scanner receives a “TASK” containing a list of target IP addresses and credentials, such as ecomm/ecomm, to attempt further logins.
Once Larva-26002 gains access through a brute-force or dictionary attack, they immediately begin reconnaissance. The report highlights the following sequence of commands used to map out infected systems:
- hostname and whoami to identify the user and machine.
- netstat -an and tasklist to monitor network connections and running processes.
- Targeted queries like tasklist /FI “IMAGENAME eq sqlservr.exe” to confirm the presence of the SQL server.
The group then uses the BCP utility to export malware hidden within database tables directly onto the local drive. As ASEC explains: “The threat actor stored the malware in the database and then used BCP to create a file locally.”
ASEC emphasizes that these attacks succeed primarily because of human error and weak configuration.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
