Larva-26002 is a persistent threat actor that has continuously targeted poorly managed, internet-exposed Microsoft SQL (MS-SQL) servers since at least January 2024. The actor gains access to exposed MS-SQL servers with weak credentials using brute-force or dictionary attacks. In early 2024, the group deployed Trigona and Mimic ransomware on compromised MS-SQL servers. Across the campaign, the actor abused the legitimate MS-SQL Bulk Copy Program (BCP) utility to extract and write malware from a database table to disk, using a consistent method that remained unchanged through later stages. The actor also installed AnyDesk for remote access and used port forwarders to enable RDP access; by 2025, it had additionally used Teramind as a remote monitoring and management tool. In 2025, Larva-26002 used a Rust-based scanner, and in 2026 it shifted to a new Go-based scanner malware called ICE Cloud Client while continuing to target previously compromised servers. The malware chain includes ICE Cloud Launcher, which authenticates to a command-and-control server, downloads ICE Cloud Client, and registers the infected host. The C2 then provides target MS-SQL addresses and credential pairs, and ICE Cloud Client attempts logins and reports successful access back to the C2. Embedded Turkish-language strings in ICE Cloud link the 2026 activity to the earlier Mimic-related campaign and suggest continuity in tooling and operator tradecraft. The campaign appears to have shifted from immediate ransomware deployment toward building a distributed scanning infrastructure to identify vulnerable database assets. Known alias in the provided content: larva_26002.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
16 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 malware families attributed to this actor across reporting.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.