The provided report details a campaign of malware attacks targeting Windows-based database servers, specifically MS-SQL and MySQL, during the second quarter of 2025. The analysis highlights a stable number of targeted systems overall, with a notable decrease in attacks against MS-SQL servers but a significant spike in attacks targeting MySQL servers in June 2025. The malware involved encompasses a broad spectrum of threats, including backdoors, cryptocurrency miners, ransomware, and remote access trojans (RATs). The campaign leverages various tools and malware families such as ShadowForce, JuicyPotato, Cobalt Strike, Remcos, Loveminer, and MyKings, indicating a multi-faceted attack approach. Techniques referenced by MITRE ATT&CK IDs (e.g., T1133, T1082, T1190, T1486) suggest exploitation of network services, credential dumping, lateral movement, persistence, and ransomware deployment. Indicators of compromise (IOCs) include multiple IP addresses, domain names, and file hashes associated with malicious payloads and command-and-control infrastructure. The absence of known exploits in the wild implies that the attacks may rely on a combination of credential theft, misconfigurations, and possibly zero-day or unpatched vulnerabilities. The report also references external analysis by AhnLab, providing further technical insights. Overall, this campaign represents a persistent and evolving threat to Windows database servers, with a shift in attacker focus from MS-SQL to MySQL environments.

For European organizations, this threat poses significant risks to the confidentiality, integrity, and availability of critical database assets. Compromise of MS-SQL or MySQL servers can lead to unauthorized data access, data exfiltration, and disruption of business operations. The presence of ransomware capabilities (e.g., T1486) can result in data encryption and operational downtime, with potential financial losses and reputational damage. Cryptocurrency miners embedded in infected servers may degrade performance and increase operational costs. The use of remote access trojans and backdoors facilitates persistent attacker presence, enabling further lateral movement within networks and potential escalation to other critical systems. Given the widespread use of Windows-based database servers across European industries—including finance, healthcare, manufacturing, and public sector—the impact can be broad and severe. Additionally, the spike in MySQL attacks suggests that organizations relying on this database platform may face increased targeting, necessitating heightened vigilance. The campaign's use of diverse malware and attack techniques complicates detection and response efforts, increasing the risk of prolonged compromise.

European organizations should implement targeted mitigation strategies beyond generic best practices: 1) Conduct thorough inventory and segmentation of database servers, isolating them from general network access to reduce exposure. 2) Enforce strict access controls and multi-factor authentication (MFA) for database administrative accounts to prevent credential abuse. 3) Regularly audit and harden database configurations, disabling unused services and enforcing least privilege principles. 4) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying behaviors associated with known malware families and attack techniques referenced (e.g., lateral movement, credential dumping). 5) Monitor network traffic for communications with known malicious IPs and domains listed in the indicators of compromise, integrating threat intelligence feeds for real-time alerts. 6) Apply timely patches and updates to database software and underlying Windows OS, even though no known exploits are reported, to mitigate potential vulnerabilities. 7) Implement robust backup and recovery procedures, ensuring offline and immutable backups to mitigate ransomware impact. 8) Conduct regular threat hunting exercises focusing on signs of persistence mechanisms such as backdoors and RATs. 9) Educate IT and security teams on the specific tactics and malware families involved to improve detection and incident response readiness. 10) Restrict use of remote administration tools like AnyDesk unless strictly necessary and monitored.