Ransomware operators introduced a custom-built data exfiltration tool, signaling a notable evolution in attack techniques.
Unlike most ransomware groups that rely on publicly available utilities such as Rclone or MegaSync, Trigona affiliates are now using a proprietary tool to steal sensitive data with greater precision and stealth.
Trigona, active since late 2022, operates as a Ransomware-as-a-Service (RaaS) platform and is linked to a cybercrime group known as Rhantus. The introduction of custom tooling indicates a higher level of technical sophistication among its affiliates.
The move away from common tools suggests an effort to evade detection, as widely used exfiltration utilities are increasingly flagged by security solutions.
The activity was observed in attacks carried out in March 2026. Researchers noted that the attackers deployed a previously unseen command-line utility, uploader_client.exe, which communicates with a hardcoded, attacker-controlled server.
Advanced Data Exfiltration Capabilities
Analysis of the custom uploader revealed several features designed to improve speed, efficiency, and evasion during data theft operations:
- Parallel data transfer: The tool uses up to five simultaneous connections per file, allowing attackers to maximize bandwidth usage and accelerate exfiltration.
- Connection rotation: It automatically rotates TCP connections after transferring approximately 2,048 MB of data, helping avoid detection mechanisms that monitor long-lived connections.
- Selective data targeting: With an –exclude-ext option, attackers can skip large, low-value files such as video and audio formats, focusing instead on sensitive documents.
- Built-in authentication: A shared authentication key ensures that only authorized clients can upload data to the attacker’s server, protecting the stolen data repository.
In at least one incident, attackers specifically targeted folders containing invoices and high-value PDF files stored on network drives, indicating a focus on financially sensitive information.
Before deploying the exfiltration tool, attackers took extensive steps to turn off security defenses. They installed the Huorong Network Security Suite tool HRSword as a kernel driver service, enabling deep system-level access.
Additional tools used in the attack included PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd.
Many of these leveraged vulnerable kernel drivers to terminate endpoint protection processes. PowerRun was also used to execute tools with elevated privileges, further ensuring security mechanisms were bypassed.
A Shift Toward Custom Malware
The attackers gained remote access via AnyDesk and conducted credential harvesting using Mimikatz and Nirsoft password recovery tools, allowing them to collect browser and application credentials for lateral movement.
The use of a custom exfiltration tool is relatively rare in ransomware operations, where affiliates typically depend on established toolkits. However, this shift highlights a growing trend toward tailored malware development.
While building proprietary tools requires more resources and expertise, it offers attackers a significant advantage by reducing their visibility to traditional detection systems. At least initially, such tools can operate under the radar until security researchers identify and analyze them.
This development underscores the need for organizations to adopt behavior-based detection strategies, as reliance on known indicators alone may not be sufficient to detect emerging, custom-built threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
