Attack case against MS-SQL server installing ICE Cloud scanner (Larva-26002)

AhnLab ASEC reports that the Larva-26002 actor continues to target internet-exposed, poorly managed MS-SQL servers using brute-force and dictionary attacks and abusing the BCP utility to write and deploy payloads; the actor delivers a Go-based scanner called ICE Cloud Client (Turkish strings) for reconnaissance and has historically deployed Trigona and Mimic ransomware. The report includes command examples, the infection/download chain (bcp, curl, bitsadmin, PowerShell), IOCs (MD5 hashes, http://109.205.211.13/api.exe), and recommendations to harden credentials, update antivirus, and restrict public access to database servers.