Financially Motivated Turkish Threat Actors Target Microsoft SQL Server Databases with RE#TURGENCE Campaign

Financially motivated threat actors have been discovered engaging in a targeted attack campaign, dubbed RE#TURGENCE, aimed at compromising Microsoft SQL Server databases. This sophisticated campaign has primarily focused on organizations in the United States, Europe, and Latin America, with the end goal being the deployment of ransomware or the sale of compromised access to other threat actors.

Initial Access

To gain initial access, the threat actors employed brute-force tactics to bypass administrative credentials for the Microsoft SQL Server. Once successful, they moved on to credential harvesting and enabled a function that allowed them to execute shell commands on the host.

Cobalt Strike Payload

The attackers then executed PowerShell scripts, leading to the deployment of a heavily obfuscated Cobalt Strike payload. This payload was carefully designed to be injected into a Windows process, granting the threat actors enhanced control and stealth capabilities.

Deployment of AnyDesk

As part of their strategy, the threat actors utilized Cobalt Strike to install the legitimate remote desktop software, AnyDesk, onto compromised systems. This shift allowed them to conduct future interactions exclusively through AnyDesk, potentially evading detection.

Follow-up Activities

Following the initial compromise, the attackers employed various tools and techniques to further infiltrate the targeted environment. These included deploying Mimikatz for credential harvesting, leveraging Advanced Port Scanner for environment discovery, and utilizing the Sysinternals utility psexec for lateral movement to a domain controller.

Deployment of Mimic Ransomware

After several attempts at lateral movement, the threat actors proceeded to deploy the Mimic ransomware. This was accomplished through the execution of a self-extracting archive on the MSSQL server, domain controller, and other domain-joined hosts. The ransomware aimed to encrypt critical data, holding it hostage until a ransom was paid.

Monitoring the Attack

During the investigation of this attack, security experts were able to gain insights into the actions of the threat actors. Notably, the attackers enabled the clipboard sharing feature of AnyDesk, inadvertently allowing the cybersecurity firm Securonix to monitor the contents pasted there.

Identification of Turkish Involvement

By analyzing the pasted content, which was in Turkish, and investigating the handle “atseverse,” Securonix determined that at least one of the attackers appears to be located in Turkey. This attribution sheds light on the origin and potential motivations of the threat actors behind the RE#TURGENCE campaign.

The resurgence campaign orchestrated by financially motivated threat actors targeting Microsoft SQL Server databases has highlighted the increasing sophistication and persistence of cybercriminals. Organizations must remain vigilant in securing their SQL Server environments, employing strong access controls, regularly updating software and patches, and implementing robust monitoring solutions. Collaborative efforts between cybersecurity firms and law enforcement agencies are essential to better understanding these evolving threats and mitigating future attacks on critical infrastructure.

Explore more

Japanese Teen Arrested for Using AI to Attack Bandai Namco

The Tokyo Metropolitan Police Department recently apprehended a seventeen-year-old male residing in the Nerima Ward under suspicion of orchestrating a sophisticated series of cyberattacks against the gaming conglomerate Bandai Namco. Authorities reported that the high school student allegedly utilized generative artificial intelligence frameworks to script and deploy malicious code intended to compromise the company’s internal infrastructure and disrupt its digital

OpenAI Launches GPT Live for Human-Like Voice Conversations

The transition from static text prompts to dynamic vocal exchanges marks a pivotal moment in the history of human-computer interaction, as the technology now mirrors the natural cadence of speech. OpenAI has introduced GPT Live, a sophisticated real-time vocal feature that transcends the limitations of traditional voice assistants by allowing users to engage in dialogues that are indistinguishable from human

How Is Machine Learning Transforming the Pharma Market?

The traditional trial-and-error approach to drug discovery is rapidly being eclipsed by a sophisticated digital architecture that leverages high-performance computing to solve biological mysteries in record time. As the pharmaceutical industry moves deeper into this era of computational biology, the convergence of data science and life sciences has created a paradigm shift that redefines how molecules are identified, tested, and

DeFi Pioneer Zapper to Shut Down Operations in August 2026

The landscape of decentralized finance is undergoing a monumental shift as one of its most recognizable pioneers, Zapper, announces the permanent cessation of its operations scheduled for late August 2026. For many years, this platform served as the primary gateway for retail and institutional investors to monitor complex liquidity positions, yield farming strategies, and diverse NFT portfolios across an increasingly

Bitcoin Reclaims $62,000 Amid Short Squeeze and ETF Inflows

The digital asset market witnessed a remarkable resurgence this week as Bitcoin surged past the $62,000 threshold, effectively silencing skeptics who had predicted a deeper correction following recent macroeconomic uncertainty. This price action was not merely a random fluctuation but the culmination of several converging factors that realigned the supply-demand equilibrium in favor of the bulls. Traders who had positioned