Cybersecurity researchers have discovered that attackers are using trusted database client tools to steal sensitive data from compromised systems. This tactic helps them stay hidden during their attacks.
Tools like DBeaver, Navicat, and sqlcmd are commonly used by legitimate database administrators. Because of this, it’s hard for security teams to spot suspicious behavior.
To use these tools, attackers first gain access to database login details, including server addresses, ports, and passwords. This means the attackers have already gone through the early stages of an attack—such as gaining access, moving laterally, and collecting information—before using these clients.
How the Attack Works
Once inside a system, attackers install the database tools and start pulling sensitive data. Since these applications look normal, security tools often don’t raise any alarms.
Researchers from AhnLab Security Emergency Response Center (ASEC) found several real-world cases where attackers used Remote Desktop Protocol (RDP) to access systems. Then, they installed tools like DBeaver using a browser and exported data using default settings.
In other cases, attackers used trial versions of Navicat to avoid paying for licenses. These tools gave them the ability to run advanced queries, export entire tables, and extract data in formats like CSV, Excel, or JSON.
Detection Challenges
Because these tools are legitimate, antivirus software rarely flags them. Detecting misuse requires monitoring behavior patterns instead of just looking for known threats.
The forensic trail these tools leave behind is subtle but detectable by skilled analysts. Each application has unique logs that can help investigators understand what data was stolen and when.
Forensic Clues in DBeaver
DBeaver, an open-source tool, presents a unique case. Its detailed logs can help investigators—but can also assist attackers in understanding how their actions are recorded.
The log file is usually found at:
C:\Users\[Username]\AppData\Roaming\DBeaverData\workspace\.metadata\dbeaver-debug.log
This file includes a history of export activity. For example:
2025-05-15 14:37:08.989 - Export to the new file 'C:\Users\Administrator\Desktop\export\PRODUCTS_202505151437.csv' 2025-05-15 14:37:09.145 - Export to the new file 'C:\Users\Administrator\Desktop\export\USERS_202505151437.csv'
These log entries show exactly when data was exported and where the files were saved. The naming format often includes the table name and a timestamp, helping trace stolen content.
Additional Forensic Evidence
Even if the debug logs are missing, DBeaver keeps a record of connection history. Investigators can use this to track access to critical databases.
Another important file—.log—contains connection errors and SQL mistakes. These may reveal attackers testing commands or struggling with unknown database layouts.
