Answer Brief
ASEC’s analysis of ASD logs for Q1 2026 shows persistent attacks on Windows-based MS-SQL and MySQL servers, with a temporary decline in February followed by a March rebound. The Larva-26002 threat actor was observed deploying the Go-written ICE Cloud scanner via BCP exploitation on mismanaged MS-SQL systems, continuing prior use of Trigona and Mimic ransomware. Turkish-language strings in the scanner align with earlier Mimic campaigns. Primary vectors include brute force, dictionary attacks, and exploitation of weak or misconfigured accounts due to poor administrative hygiene.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
Consistent trend of attacks on Windows MS-SQL and MySQL servers
- 2
Temporary decrease in attack volume
- 3
Attack volume increased again after February dip
- 4
ASEC published Q1 2026 malware statistics report
Executive Summary: ASEC’s analysis of ASD logs for Q1 2026 shows persistent attacks on Windows-based MS-SQL and MySQL servers, with a temporary decline in February followed by a March rebound. The Larva-26002 threat actor was observed deploying the Go-written ICE Cloud scanner via BCP exploitation on mismanaged MS-SQL systems, continuing prior use of Trigona and Mimic ransomware. Turkish-language strings in the scanner align with earlier Mimic campaigns. Primary vectors include brute force, dictionary attacks, and exploitation of weak or misconfigured accounts due to poor administrative hygiene.
Why It Matters
ASEC’s Q1 2026 report on malware targeting Windows database servers reveals a persistent and adaptive threat landscape affecting MS-SQL and MySQL installations. The data shows a cyclical pattern: attack volume dipped temporarily in February before rebounding in March, suggesting possible threat actor operational cycles, testing phases, or evasion timing rather than a sustained decline. This pattern underscores the need for continuous monitoring, as short-term lulls should not be interpreted as reduced risk. Organizations relying on periodic assessments may miss these fluctuations, leaving windows of exposure undetected.
A key technical finding is the observed use of the ICE Cloud scanner by the Larva-26002 threat actor. This malware, written in the Go language, represents a shift toward modern, cross-platform tooling that enhances portability and may evade signature-based detection systems less tuned to Go-compiled binaries. Go’s static linking and reduced reliance on external libraries can hinder traditional heuristic and behavioral analysis, particularly in environments lacking specialized telemetry for Golang binaries. The reuse of Turkish-language strings—previously seen in Mimic ransomware attacks—suggests either toolkit sharing, operational overlap, or deliberate false-flagging, though ASEC does not attribute intent beyond noting the similarity. This linguistic consistency may indicate shared development resources or a deliberate attempt to link current activity to prior campaigns for psychological effect.
Technical Signal
The infection vector remains consistent: exploitation of mismanaged MS-SQL servers via BCP (Bulk Copy Program), a legitimate utility often abused to execute arbitrary code when databases are misconfigured or exposed without proper network controls. BCP allows data import/export operations that, when combined with weak authentication or excessive permissions, can be leveraged to drop and execute malware. This indicates that attackers are not relying on zero-days but rather on preventable configuration gaps—such as weak sa passwords, exposed ports (e.g., TCP 1433), and excessive permissions granted to service accounts—that allow credential guessing and command execution. The report notes that attackers first compromise the server via brute force or dictionary attacks, then use legitimate administrative tools like BCP to establish persistence and deploy secondary payloads.
ASEC’s conclusion reinforces foundational hygiene: brute force and dictionary attacks remain effective due to poor password policies, while unpatched systems and excessive remote execution capabilities expand the attack surface. The report’s recommendations—strong password rotation, timely patching, firewall-based access control, and reduction of unnecessary features—are well-established but frequently overlooked in production environments, especially in legacy or minimally managed database deployments. Many organizations retain default configurations, over-privileged accounts, and unnecessary features like CLR integration or remote procedure calls, which expand the attack surface without providing proportional operational benefit.
Operational Impact
For global security and cloud operations teams, this report serves as a reminder that database servers, particularly those running on Windows in hybrid or on-premises environments, remain high-value targets due to their access to sensitive data and potential for lateral movement. Even in cloud-first architectures, lift-and-shift workloads or hybrid sync systems may inherit these risks if not hardened. Database servers often store credentials, application data, and backup sets that can facilitate further intrusion. The deployment of a scanner like ICE Cloud suggests reconnaissance intent—threat actors may be mapping internal networks, identifying valuable data stores, or preparing for ransomware deployment or data exfiltration.
The Larva-26002 actor’s history with ransomware (Trigona, Mimic) and now scanner deployment suggests a progression from immediate monetization to persistent access and reconnaissance—consistent with tactics seen in supply-chain-adjacent or espionage-leaning operations. Defenders should treat scanner deployment not as an endpoint but as a precursor to further exploitation, data staging, or tooling preparation. The use of Go may reflect an effort to maintain long-term access across heterogeneous environments, as Go binaries can run on Windows, Linux, and macOS with minimal modification.
What To Watch
Finally, the report’s reliance on ASD (Advanced Security Detection) logs highlights the value of centralized telemetry in identifying low-volume, recurring threats that might be missed in siloed logs. Organizations without similar visibility should consider enhancing database-specific logging and correlation, particularly for authentication failures, BCP usage, and anomalous process spawning from database service accounts. Monitoring for unusual parent-child process relationships (e.g., sqlservr.exe spawning non-database tools) or outbound connections from database servers to unfamiliar endpoints can help detect similar activity. Teams should verify whether their logging captures command-line arguments for BCP executions and whether alerting rules cover known malicious domains or IPs associated with threat actor infrastructure.
For monitoring teams, the practical value lies in comparing internal telemetry against the described behaviors. Teams with exposure in East Asia can check whether help-desk tickets, endpoint alerts, mail gateway detections, identity anomalies, blocked downloads, command-line activity, scheduled tasks, or suspicious script execution resemble the behaviors described by the source. A match does not prove attribution, but it can justify deeper triage. This kind of regional report also helps separate durable monitoring themes from one-off news. If similar malware families, delivery chains, file types, infrastructure choices, or attacker workflows appear across later East Asia sources, the signal becomes stronger. Nogosee should retain these links in its tracker to assess whether a local report remains isolated or evolves into a broader pattern.
The safest next step for database administration, cloud infrastructure, enterprise IT, and managed security services teams is not to treat the article as incident-response advice but to verify local exposure, identify relevant logs, confirm source link integrity, and determine whether the report belongs in a watchlist, detection backlog, or executive regional-risk brief. The uncertainty boundary should remain explicit: public reports describe observed techniques and malware names without proving every victim profile, infrastructure owner, or campaign objective. When the source does not establish those facts, the article avoids filling the gap. This restraint ensures readers receive a trustworthy map of what is known, what is merely plausible, and what requires direct verification.
Event Type: security
Importance: high
Affected Sectors
- cloud infrastructure
- database administration
- enterprise IT
- managed security services
Key Numbers
- Q1 2026 trend: Attacks decreased temporarily in February, increased again in March
- Malware language: ICE Cloud scanner written in Go
- Threat actor: Larva-26002 (previously linked to Trigona and Mimic ransomware)
- Infection vector: BCP exploitation on mismanaged MS-SQL servers
- String language in malware: Turkish (consistent with prior Mimic ransomware)
Timeline
- Consistent trend of attacks on Windows MS-SQL and MySQL servers
- Temporary decrease in attack volume
- Attack volume increased again after February dip
- ASEC published Q1 2026 malware statistics report
Frequently Asked Questions
What is the ICE Cloud scanner mentioned in the ASEC report?
The ICE Cloud scanner is a malware tool written in the Go programming language, observed in Q1 2026 attacks where the Larva-26002 threat actor exploited BCP on mismanaged MS-SQL servers to install it. It contains Turkish-language strings, consistent with prior use in Mimic ransomware attacks.
Which threat actor was associated with the ICE Cloud scanner deployment in Q1 2026?
The Larva-26002 threat actor was observed installing the ICE Cloud scanner on compromised MS-SQL servers in Q1 2026. This group has previously distributed Trigona and Mimic ransomware and maintains control of infected systems to deploy additional tools like scanners.
What are the primary attack techniques used against Windows database servers in Q1 2026 according to ASEC?
The main techniques are brute force and dictionary attacks, along with exploitation of unpatched systems and misconfigured accounts due to poor account management. Attackers often target weakly secured MS-SQL and MySQL servers exposed to external networks.
How can organizations defend against the malware trends identified in the ASEC Q1 2026 report?
ASEC recommends using strong, regularly changed passwords, applying latest patches, restricting external access via firewalls, and reducing attack surface by disabling unnecessary extensions and remote command execution features on database servers.
Why is the use of Go language in the ICE Cloud scanner notable for defenders?
The use of Go in malware like ICE Cloud increases cross-platform portability and complicates detection due to static linking and less common signature coverage in some endpoint tools. Its adoption by threat actors signals evolving toolchain preferences for evasion and efficiency.