Key Findings

• Trigona ransomware operators have deployed a custom command-line tool called uploader_client.exe to replace publicly available utilities like Rclone and MegaSync

• The shift, observed in March 2026 attacks, provides attackers greater control and detection evasion capabilities

• The custom tool uses multiple parallel connections and rotates TCP connections to avoid network monitoring and traffic analysis

• Trigona affiliates disable security tools using vulnerable kernel drivers before deploying the exfiltration tool

• This represents a significant tactical evolution showing increased investment in proprietary malware development

Background

Trigona has operated as a Ransomware-as-a-Service since late 2022 and is linked to the Rhantus cybercrime group. Like most RaaS operations, Trigona relies on affiliate networks to conduct attacks. Symantec researchers documented the shift to custom tooling following incidents in March 2026, marking a notable departure from the group's previous reliance on commercial off-the-shelf utilities.

Custom Exfiltration Tool Capabilities

The uploader_client.exe tool operates by connecting to attacker-controlled servers and handles data theft with sophisticated efficiency measures. It defaults to five parallel connections per file to maximize bandwidth utilization. After transmitting 2,048 MB of data, the tool rotates its TCP connection to a different IP address, a technique designed to bypass security monitoring systems that flag extended high-volume connections to single endpoints.

The tool also intelligently filters out large files with minimal value and prioritizes sensitive data like documents and PDFs. In observed cases, attackers targeted invoices and high-value documents stored on network drives. Access to stolen data is secured through authentication keys, limiting exposure if the command and control infrastructure is compromised.

Attack Methodology

Before deploying the custom uploader, Trigona operators systematically disable endpoint security. They use utilities including HRSword, PCHunter, and GMER, often exploiting vulnerable kernel drivers to terminate protective software. PowerRun executes these tools with elevated privileges to bypass administrative restrictions.

Initial access typically comes through remote administration tools like AnyDesk. Once inside systems, attackers harvest credentials using Mimikatz and Nirsoft password recovery utilities to access stored passwords across applications and browsers, expanding their lateral movement capabilities.

Strategic Implications

The investment in custom tooling reflects a calculated tradeoff for Trigona operators. Developing proprietary tools requires significant resources and development time, yet provides stealth advantages that generic utilities cannot match. Publicly available tools have become so well-known that security solutions routinely flag them, making custom development increasingly attractive despite the overhead. This signals growing sophistication within the ransomware ecosystem as operators seek competitive advantages in an increasingly monitored threat landscape.

Sources

• https://securityaffairs.com/191294/cyber-crime/trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection.html

• https://www.facebook.com/SCMag/posts/trigona-ransomware-ups-its-game-with-custom-exfiltration-tool-boosting-stealth-a/1591451199648830/

• https://gbhackers.com/custom-data-theft-tool/amp/

• https://teamwin.in/ransomware-hackers-develop-custom-exfiltration-tool-to-steal-sensitive-data/