Larva-26002 Deploys ICE Cloud Client Scanner

Larva-26002 is actively deploying a Go-based scanner called ICE Cloud Client to target internet-exposed Microsoft SQL (MS-SQL) servers in 2026, according to AhnLab. The campaign abuses the BCP utility to export malicious payloads, reuses credentials like "ecomm/ecomm," and shifts from direct ransomware to scanner-driven propagation. Organizations should harden MS-SQL access, monitor BCP usage, and rotate credentials immediately.
Key Points
- 1Deploys ICE Cloud Client scanner targeting internet-exposed MS-SQL servers via brute-force and weak credentials
- 2Abuses BCP utility to export malicious payloads from database tables, enabling file creation and execution
- 3Implies broader propagation strategy; practitioners must harden MS-SQL, monitor BCP usage, enforce credential rotation
Scoring Rationale
High actionability and vendor-backed evidence drive score, limited novelty as campaign reuses previous techniques continuously.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

