Trigona Affiliates Introduce Custom Data Exfiltration Tool in Recent Attacks

In a notable shift from common ransomware tactics, affiliates of the Trigona group have begun using a custom-built data-exfiltration tool rather than widely available utilities. Traditionally, ransomware operators have relied on tools like Rclone and MegaSync to steal sensitive data, but recent incidents suggest a shift toward more tailored solutions.

The attacks, observed in March 2026, highlight a change in strategy. One likely reason for abandoning public tools is their growing detectability by modern security systems. By developing proprietary malware, attackers may be aiming to stay under the radar during critical stages of their operations.

Trigona, active since late 2022, operates under a Ransomware-as-a-Service (RaaS) model and is associated with the cybercriminal group Rhantus.

Custom Tool Enhances Speed and Stealth

The newly identified tool, named uploader_client.exe, is a command-line program that communicates with a hardcoded server controlled by attackers. Security analysis indicates it is not publicly available and was developed specifically for these campaigns.

The tool includes several advanced features designed to optimize data theft while avoiding detection. It supports multiple parallel connections per file, enabling faster uploads that can fully utilize available bandwidth. Additionally, it periodically rotates network connections after transferring a set amount of data, reducing the likelihood of triggering alerts tied to prolonged high-volume traffic.

Another key capability is selective data targeting. Using specific command-line options, attackers can exclude large, less valuable files such as media formats and focus on sensitive documents. The tool also incorporates authentication mechanisms to ensure only authorized clients can access the stolen data.

In at least one case, attackers used the tool to extract invoices and high-value PDF files from network storage systems.

Disabling Security Before Data Theft

Before deploying the custom uploader, attackers take steps to weaken system defenses. This includes installing tools like HRSword, part of the Huorong Network Security Suite, as a kernel-level driver. Additional utilities such as PCHunter, Gmer, and others are used to terminate security processes.

Many of these tools exploit vulnerable kernel drivers, allowing attackers to bypass standard protections and disable endpoint security software. PowerRun is also used to execute these tools with elevated privileges.

To maintain access, attackers use remote management software such as AnyDesk. They also extract credentials using tools such as Mimikatz and password recovery programs to gain further control over compromised systems.

Custom Malware Signals Growing Sophistication

The use of a custom-built exfiltration tool is relatively uncommon in ransomware operations, where most affiliates rely on pre-existing toolkits. This development suggests a higher level of technical capability among Trigona affiliates.

While creating custom malware requires additional time and resources, it offers a significant advantage: improved stealth. Unlike widely recognized tools, custom solutions are less likely to be immediately detected until they are identified and analyzed by security researchers.

Secure your privacy instantly. Try AstrillVPN with zero risk.

Get AstrillVPN