Key Findings Trigona ransomware operators have deployed a custom command-line tool called uploader_client.exe to replace publicly available utilities like Rclone and MegaSync The shift, observed in March 2026 attacks, provides attackers greater control and detection evasion capabilities The custom tool uses multiple parallel connections and rotates TCP connections to avoid network monitoring and traffic analysis Trigona affiliates disable security tools using vulnerable kerne
