The Trigona ransomware group has adopted a new strategy by employing a custom-developed tool for data exfiltration in their recent attacks. This marks a departure from the typical use of off-the-shelf utilities like Rclone or MegaSync, which are commonly used by ransomware groups. The attacks, which took place in March 2026, indicate a significant evolution in the tactics of Trigona affiliates, although the exact reasons for this shift remain unclear. It is speculated that the move towards proprietary tools is an attempt to avoid detection by security solutions that are adept at identifying known utilities.
The custom tool, named uploader_client.exe, is a command-line utility that connects to a hardcoded server controlled by the attackers. It features several advanced capabilities, including the ability to use multiple parallel connections for rapid data transfer and the ability to rotate TCP connections to evade network monitoring. Additionally, the tool allows attackers to filter out low-value files and uses an authentication key to secure access to the stolen data. This tool was observed targeting high-value documents such as invoices and PDFs stored on networked drives.
Before deploying the custom uploader, attackers attempted to disable security measures using a variety of tools. They installed the Huorong Network Security Suite tool HRSword as a kernel driver service and used other security-disabling tools like PCHunter and Gmer. These tools exploited vulnerable kernel drivers to terminate endpoint protection processes, allowing the attackers to operate with elevated privileges. Remote access was gained through AnyDesk, and credential theft was conducted using tools like Mimikatz.
The creation of a custom exfiltration tool suggests a higher level of technical sophistication among the attackers. While developing such tools requires significant resources, they offer a level of stealth that generic tools cannot achieve until they are discovered by security researchers. This approach reflects a growing trend among ransomware groups to develop proprietary tools to maintain an advantage over security defenses.
Organizations should take proactive measures to protect against such sophisticated attacks. This includes monitoring for unusual network activity, especially connections to unknown IP addresses, and ensuring that security solutions are updated to detect custom malware tools. Additionally, organizations should regularly review and update their security protocols to address vulnerabilities that could be exploited by attackers using advanced techniques.
Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/trigona-exfiltration-custom