Threat actors are making money by hacking into Microsoft SQL servers, a practice that has been going on since June 2002, according to the company's log records. This is accomplished when threat actors compromise the company's servers to convert the devices into proxies that can then be rented through online proxy services. The threat actors' goal remains to steal a device's bandwidth via proxyware.

What is Proxyware?

Proxyware is a program that uses a portion of the available internet bandwidth on the device to act as a proxy server for remote users.
  • Remote users can use the bandwidth for a variety of tasks, such as testing, content distribution, and market research.
  • The device's owner receives a revenue share of the fees charged to customers in exchange for sharing their bandwidth.
  • Peer2Profit and IPRoyal are two companies that offer this type of service.

Infecting MS SQL

  • The first step includes targeting vulnerable MS SQL servers by installing Peer2Profit via a malware strain.
  • The malware checks if the proxy client is running on the host. If deactivated, the malware can use the “p2p_start()” function to launch it.
  • Once the proxyware is installed on a device, the software adds it as an available proxy for the remote users to assign tasks the way they want over the internet.

How do the providers earn?

  • Companies that provide services profit from catering bandwidth to other users.
  • Providers can use marketing tools to expand their business by claiming different business partners who use the service for different purposes on their web pages.
  • Business partners' requirements may vary, such as distributing software, researching markets, verifying advertisements, and testing software.

Any disadvantages?
  • The provider takes a risk by installing proxyware because threat actors can use these proxies for illegal activities without the victim's knowledge.
  • The service provider cannot know in detail which companies/customers use the proxyware platforms' services.
  • Even if the user can independently verify the external customers, it is impossible to predict whether the owner's bandwidth will be maliciously exploited in the future.


Proxyware operators targets MS SQL servers because they are located in corporate networks or data centers with plenty of internet bandwidth.
The greater the bandwidth, the more likely proxyware will go undetected for extended periods of time, resulting in higher earnings and profits for threat actors.
Cyware Publisher