b2b-daily
Home | IT | Cyber Security

Financially Motivated Turkish Threat Actors Target Microsoft SQL Server Databases with RE#TURGENCE Campaign

Avatar photo
by Craig Anderson
January 12, 2024
Image Credit: Pexels
Financially Motivated Turkish Threat Actors Target Microsoft SQL Server Databases with RE#TURGENCE Campaign

Financially motivated threat actors have been discovered engaging in a targeted attack campaign, dubbed RE#TURGENCE, aimed at compromising Microsoft SQL Server databases. This sophisticated campaign has primarily focused on organizations in the United States, Europe, and Latin America, with the end goal being the deployment of ransomware or the sale of compromised access to other threat actors.

Initial Access

To gain initial access, the threat actors employed brute-force tactics to bypass administrative credentials for the Microsoft SQL Server. Once successful, they moved on to credential harvesting and enabled a function that allowed them to execute shell commands on the host.

Cobalt Strike Payload

The attackers then executed PowerShell scripts, leading to the deployment of a heavily obfuscated Cobalt Strike payload. This payload was carefully designed to be injected into a Windows process, granting the threat actors enhanced control and stealth capabilities.

Deployment of AnyDesk

As part of their strategy, the threat actors utilized Cobalt Strike to install the legitimate remote desktop software, AnyDesk, onto compromised systems. This shift allowed them to conduct future interactions exclusively through AnyDesk, potentially evading detection.

Follow-up Activities

Following the initial compromise, the attackers employed various tools and techniques to further infiltrate the targeted environment. These included deploying Mimikatz for credential harvesting, leveraging Advanced Port Scanner for environment discovery, and utilizing the Sysinternals utility psexec for lateral movement to a domain controller.

Deployment of Mimic Ransomware

After several attempts at lateral movement, the threat actors proceeded to deploy the Mimic ransomware. This was accomplished through the execution of a self-extracting archive on the MSSQL server, domain controller, and other domain-joined hosts. The ransomware aimed to encrypt critical data, holding it hostage until a ransom was paid.

Monitoring the Attack

During the investigation of this attack, security experts were able to gain insights into the actions of the threat actors. Notably, the attackers enabled the clipboard sharing feature of AnyDesk, inadvertently allowing the cybersecurity firm Securonix to monitor the contents pasted there.

Identification of Turkish Involvement

By analyzing the pasted content, which was in Turkish, and investigating the handle “atseverse,” Securonix determined that at least one of the attackers appears to be located in Turkey. This attribution sheds light on the origin and potential motivations of the threat actors behind the RE#TURGENCE campaign.

The resurgence campaign orchestrated by financially motivated threat actors targeting Microsoft SQL Server databases has highlighted the increasing sophistication and persistence of cybercriminals. Organizations must remain vigilant in securing their SQL Server environments, employing strong access controls, regularly updating software and patches, and implementing robust monitoring solutions. Collaborative efforts between cybersecurity firms and law enforcement agencies are essential to better understanding these evolving threats and mitigating future attacks on critical infrastructure.

Digital TransformationInformation Security

Explore more

Select the Best AI Voice Assistant for Your Business
February 19, 2026

The rapid integration of voice intelligence into core business operations has transformed how companies manage customer interactions, internal workflows, and overall efficiency. Choosing the right AI voice assistant has evolved from a simple tech upgrade to a critical strategic decision that can significantly impact productivity and customer satisfaction. The selection process now demands a comprehensive evaluation of specific use cases,

Trend Analysis: Cloud Platform Instability
February 19, 2026

A misapplied policy cascaded across Microsoft’s global infrastructure, plunging critical services into a 10-hour blackout and reminding the world just how fragile the digital backbone of the modern economy can be. This was not an isolated incident but a symptom of a disturbing trend. Cloud platform instability is rapidly shifting from a rare technical glitch to a recurring and predictable

Are Shanghai Employers Ready for Elder Care Leave?
February 19, 2026

With decades of experience helping organizations navigate the complexities of HR technology and compliance, Ling-Yi Tsai is a leading expert on the evolving landscape of Chinese labor law. As Shanghai prepares for its groundbreaking elder care leave policy, effective November 1, 2025, employers are facing a host of new challenges and obligations. We sat down with Ling-Yi to explore the

Google Issues Urgent Patch for Chrome Zero-Day Flaw
February 19, 2026

A Digital Door Left Ajar The seamless experience of browsing the web often masks a constant, behind-the-scenes battle against digital threats, but occasionally, a vulnerability emerges that demands immediate attention from everyone. Google has recently sounded such an alarm, issuing an emergency security update for its widely used Chrome browser. This is not a routine bug fix; it addresses a

Are Local AI Agents a Hacker’s Gold Mine?
February 19, 2026

The rapid integration of sophisticated, locally-run AI assistants into our daily digital routines promised a new era of personalized productivity, with these agents acting as digital confidants privy to our calendars, communications, and deepest operational contexts. This powerful convenience, however, has been shadowed by a looming security question that has now been answered in the most definitive way possible. Security