Ransomware attackers are evolving their tactics, with affiliates of the Trigona ransomware group now employing a custom-built data exfiltration tool. This sophisticated development allows for more precise, rapid, and controlled theft of sensitive data, posing a significant new challenge for cybersecurity defenses. Trigona, operating under a Ransomware-as-a-Service (RaaS) model since late 2022, has moved beyond common, easily detectable tools, indicating a growing technical prowess and strategic intent among threat actors.
This shift towards proprietary malware, as identified by Symantec’s Threat Hunter Team in March 2026, signifies a strategic investment by attackers to reduce their visibility during the critical data theft phase. Historically, many ransomware operations relied on publicly available utilities like Rclone or MegaSync, which, while functional, have become well-known to security vendors and thus easier to detect. The Trigona group’s adoption of a custom tool suggests a dedication to stealth and efficiency, treating their cybercrime operations with the discipline of legitimate software development.
Defense Evasion and Pre-Attack Setup for Data Exfiltration
Before employing their custom data exfiltration tool, dubbed “uploader_client.exe,” the attackers meticulously worked to dismantle the victim’s security posture. They utilized the kernel driver component of the Huorong Network Security Suite, HRSword, repurposed to disable other security software on the targeted machine. This tactic was supplemented by a suite of other tools, including PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitor BYOVD. Many of these utilities exploit vulnerable kernel drivers, allowing them to terminate endpoint protection processes by operating at the most fundamental level of the operating system, thereby bypassing standard user-mode defenses.
The attackers established initial remote access through the legitimate remote desktop application AnyDesk. To further their penetration and gain elevated privileges, they deployed Mimikatz and a collection of Nirsoft password recovery utilities. These tools were instrumental in harvesting credentials stored across various browsers and applications. The PowerRun utility was then used to execute these credential-harvesting tools with administrative-level system privileges, ensuring the attackers had comprehensive control throughout the attack chain.
The custom “uploader_client.exe” tool itself is engineered for both speed and stealth, demonstrating a detailed understanding of network monitoring capabilities. It defaults to utilizing five parallel connections per file to accelerate data transfer speeds. To evade detection by network monitoring systems, it dynamically rotates TCP connections after every 2,048 MB of data. Furthermore, the tool incorporates an “–exclude-ext” flag, strategically designed to skip lower-priority media files such as videos and audio, thereby focusing solely on the extraction of high-value documents. A shared authentication key is also implemented to prevent unauthorized access to the stolen data once it lands on the attacker-controlled server.
This sophisticated approach to data exfiltration highlights the increasing technical sophistication of ransomware groups. In one confirmed incident observed by Symantec, the custom tool was specifically used to target folders containing financial invoices and critical PDF documents residing on networked drives. This precise targeting indicates that the attackers possess a keen understanding of which data types hold the most financial or strategic value and are actively developing tools tailored to extract them efficiently.
The broader implications of this development extend beyond the Trigona ransomware campaign. It underscores a growing trend where certain threat actors are willing to invest substantial resources into research and development, mirroring the operational structure and discipline of legitimate enterprises. This R&D investment allows them to create more evasive and effective tools, positioning organizations that handle sensitive financial records or confidential documents at a heightened risk as these advanced methods become more prevalent.
Organizations are strongly advised to bolster their network and endpoint security measures. Monitoring for unauthorized use of legitimate remote access tools like AnyDesk is crucial. Endpoint detection systems should be configured to detect and flag kernel-level driver activity from tools such as PCHunter or Gmer. Maintaining up-to-date endpoint protection software is essential, and network traffic monitoring systems should be optimized to identify unusual patterns, such as high-volume outbound connections or rapid connection rotations. Additionally, a review and restriction of access to sensitive document folders on networked drives can significantly mitigate the risk of targeted exfiltration attempts.
The continued evolution of ransomware tactics, particularly the development of custom exfiltration tools, necessitates a proactive and adaptive security strategy. Organizations must remain vigilant, continuously assess their vulnerabilities, and invest in advanced threat detection and response capabilities to counter these increasingly sophisticated cyber threats.