MySQL Servers Under Attack: Threat Actors Exploiting UDFs to Inject Gh0stRAT, XWorm & Zoho Agents

Threat actors are ramping up attacks on poorly managed MySQL servers, particularly those running in Windows environments, according to new research from the AhnLab Security Intelligence Center (ASEC). These attacks involve a variety of malware including Gh0stRAT, XWorm, HpLoader, and even legitimate remote access tools like Zoho ManageEngine.

Threat actors are scanning the internet for publicly exposed MySQL port 3306 instances. Once discovered, they perform brute-force or dictionary attacks to compromise weak administrator credentials. Upon successful access, they upload malware and remote management tools directly through the MySQL server process.

“They can compromise the credentials of administrator accounts, take control of the infected system, and install additional payloads,” ASEC states.

A core technique involves exploiting User Defined Functions (UDF)—DLL-based extensions designed for custom MySQL commands. Attackers upload malicious UDF libraries to execute commands, download malware, or even inject payloads directly into memory.

“Threat actors upload DLL libraries containing malicious commands… similar to the CLR SqlShell in MS-SQL servers,” ASEC explains.

Some UDF variants act as stagers that connect to command-and-control (C2) servers and await instructions. ASEC observed samples that send a handshake labeled mylogin to the C2, although the final payload remains unidentified due to inactive servers.

The most prevalent malware in these incidents remains Gh0stRAT, particularly the Gh0stCringe and HiddenGh0st variants previously used in MS-SQL attacks.

“The Gh0stRAT variant used in recent attack cases is characterized by including a privilege escalation tool… and captures screens saved to ‘%ALLUSERSPROFILE%\quickScreenShot[Date][Date+Time].jpg’.”

This shows that despite its age, Gh0stRAT continues to evolve with added stealth and surveillance capabilities.

Also observed is XWorm, a powerful RAT first seen in 2022, initially distributed as Malware-as-a-Service (MaaS). Cracked versions are now abused by diverse groups. ASEC highlights past incidents of XWorm being spread through spam emails, impersonating Korea’s National Tax Service and international delivery services.

In some cases, after the UDF component is installed, a secondary HpLoader downloader is deployed. Although its final payload was not identified due to an inactive C2, ASEC notes that the same loader has been previously linked to Gh0stRAT deployment.

Perhaps most alarming is the abuse of legitimate software: attackers are now using Zoho ManageEngine UEMS agents instead of backdoors. The installation involves a dropper script (Install.bat) and executable (Server_Agent.exe), set to install silently under C:\PerfLogs.

The remote control domain used matches the one delivering the initial payload (star.zcnet[.]net), suggesting a unified infrastructure for both malware and legitimate control tools.

Administrators are urged to immediately take the following precautions:

• Restrict MySQL port 3306 exposure to only necessary IPs
• Enforce strong password policies and limit MySQL user privileges
• Apply the latest security patches to both MySQL and the operating system
• Monitor for unusual DLLs and screen capture artifacts in %ALLUSERSPROFILE%

Related Posts:

• UAC-0184’s XWorm RAT Campaign Targets Ukraine with Python and DLL Sideloading
• Ddostf DDoS Bot Exploits Vulnerabilities: MySQL Servers at Risk
• XWorm Unveils Stealthier Techniques in Latest Malware Evolution
• Over 18,000 Devices Compromised in XWorm RAT Builder Campaign