EXECUTIVE SUMMARY
Threat actor Larva-26002 is actively targeting exposed MS-SQL servers using weak credentials to deploy ICE Cloud scanner malware. The campaign has evolved from ransomware (2024) to large-scale scanning and credential harvesting (2026). Compromised servers are used as distributed nodes to identify and prop-agate attacks to other vulnerable databases.
- Active Region: Global
- Affected Sector: Multiple sectors (organizations using MS-SQL servers)
- Affected Product: Microsoft SQL Server (MS-SQL)
- Severity: High
- Published Date: March 24, 2026
TECHNICAL DETAILS
- Target: The attackers specifically target internet-facing Microsoft SQL (MS-SQL) servers that are exposed without adequate security controls, particularly those configured with weak, default, or easily guessable credentials.
- Root Cause: The primary causes of this campaign include poor password hygiene practices, unnecessary exposure of database services to the public internet, and the abuse of legitimate administrative tools such as the Bulk Copy Program (BCP) utility to deploy malicious payloads while evading traditional security detection mechanisms.
- Prerequisite for Exploitation: Successful exploitation requires that the MS-SQL service is publicly accessible over the internet, combined with the……
