The Reveal Platform
Intel Name: Xiebroc2 identified in ms-sql server attack cases
Date of Scan: October 7, 2025
Impact: High
Summary: Our team recently identified an attack on a misconfigured MS-SQL server involving XiebroC2, an open-source command-and-control (C2) framework similar to CobaltStrike. The attacker exploited weak credentials to gain access and attempted to install various malware, including coin miners and JuicyPotato for privilege escalation. XiebroC2 implants, written in Go, support cross-platform backdoor functionality on Windows, Linux, and macOS. Despite MS-SQL processes running with low privileges by default, attackers use Potato malware to escalate access by abusing token privileges. Once deployed, XiebroC2 enables full remote control capabilities such as reverse shells, file management, network monitoring, and more.
