Cloud Threat Landscape
  • Incidents
  • Actors
  • Techniques
  • Defenses
  • Tools
  • Targeted Technologies
  • Posters & Newspapers
  • About
  • RSS
  • STIX
  • Back to wiz.io
Cloud Threat Landscape

CLR shell

Aliases

Sql Shell, CLR SQL shell

Tags
Reverse shellMalware
Incidents
Mimic used by Trigona operators
References
https://asec.ahnlab.com/en/52479/https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.htmlhttps://malware.news/t/trigona-ransomware-attacking-ms-sql-servers/68771
Last edited
Feb 19, 2025 2:24 PM

CLR SqlShell is a malware strain that targets poorly managed Microsoft SQL (MS SQL) servers by exploiting the Common Language Runtime (CLR) stored procedures feature. Once installed, it enables attackers to execute arbitrary commands, perform privilege escalation, and deploy additional malicious payloads such as cryptocurrency miners and ransomware. Notably, the Trigona ransomware has been observed utilizing CLR SqlShell to compromise MS SQL servers. Attackers often gain initial access through brute-force or dictionary attacks on servers with weak credentials, subsequently leveraging CLR SqlShell to maintain persistence and control over the compromised systems.

Made with 💙 by Wiz

Last Updated: April 3, 2025