4 Min Read Trigona ransomware affiliates have abandoned off-the-shelf data exfiltration tools in favour of custom-built malware that steals files faster and evades security detection. The move marks a significant escalation in the group’s capabilities with researchers at Symantec confirming that the custom tool, named uploader_client.exe, was deployed in attacks observed in March 2026.
The shift away from publicly available utilities like Rclone and MegaSync reflects a calculated response to improved security detection. According to Symantec researchers, “Many publicly available tools are now so well known they may be flagged by security solutions.” The custom tool enables five parallel data transfer streams per file, rotating TCP connections after 2GB of data to avoid triggering network monitoring alerts.
This represents a troubling maturation in ransomware operations. While most RaaS affiliates rely on standard toolkits for speed and convenience, building custom malware requires significant development resources and technical expertise that few groups possess.
The Tool Targets High-Value Documents
The uploader_client.exe utility includes granular filtering capabilities that allow attackers to exclude low-value files from exfiltration. Using an –exclude-ext flag, operators can skip audio and video files while focusing on documents, invoices and PDFs. In one confirmed incident, Symantec observed attackers specifically targeting folders containing invoices and PDFs on network drives.
The tool connects to a hardcoded attacker-controlled server and defaults to transmitting data through five simultaneous connections per file. After sending 2,048 MB, it rotates the TCP connection, a technique designed to evade network traffic monitoring that flags long-lived, high-volume connections to single IP addresses.
Security Software Disabled Before Data Theft
Before deploying their custom exfiltration tool, Trigona affiliates systematically disable endpoint protection on victim systems. The attack sequence begins with installing HRSword, a legitimate kernel driver component from the Huorong Network Security Suite, which is then repurposed to terminate security processes.
The group follows this with a toolkit including PCHunter, Gmer, YDark, WKTools, DumpGuard and StpProcessMonitorByovd, several of which leverage vulnerable kernel drivers to bypass endpoint protection. Symantec confirmed that “many of these leveraged vulnerable kernel drivers to terminate endpoint protection processes.” The freeware utility PowerRun provides elevated privileges to execute these tools.
Trigona Survived Ukrainian Disruption
Trigona first appeared in October 2022 as a double-extortion operation demanding payment in Monero cryptocurrency. Ukrainian cyber activists disrupted the operation in October 2023, compromising Trigona servers and stealing source code and database records. The March 2026 attacks confirmed by Symantec demonstrate that the group has resumed operations, now with enhanced technical capabilities.
The group operates as a Ransomware-as-a-Service model, with Symantec tracking the operators under the name Rhantus. Unlike established RaaS operations, Trigona does not appear to maintain a publicly accessible leak site for stolen data making it harder to assess the full scope of their compromises.
Custom Tools Signal Ransomware Evolution
The development of custom exfiltration malware represents a significant shift in the ransomware landscape. Most affiliates prioritise speed over stealth, relying on proven tools that can be deployed quickly across multiple targets. Building proprietary malware requires sustained development investment and suggests threat actors are treating cybercrime operations with the same discipline as legitimate software development.
As Symantec researchers noted, “The use of custom tooling in the ransomware landscape is a double-edged sword for attackers. While it requires development resources and time, these tools can provide a level of stealth that generic tools cannot match at least until they’re discovered.”
For organisations that handle sensitive financial records or confidential documents, this evolution creates a more challenging threat environment. Custom tools remain undetected longer than known utilities and their granular filtering capabilities ensure attackers extract maximum value from compromised networks.
References
- Trigona ransomware attacks use custom exfiltration tool to steal data
- Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
- Trigona ransomware attackers use novel tool for data exfiltration
- Trigona ransomware adopts custom tool to steal data and evade detection
This post is also available in:
Svenska
Related News
ShinyHunters Claims Udemy, Zara and 7-Eleven in Latest Extortion Wave
ShinyHunters claimed to have stolen 1.4 million records from online learning platform Udemy and has threatened to release the data alongside stolen information from Zara…
April 28, 2026 
North Korean Hackers Hijacked Axios Package for 100 Million Users
North Korean state hackers compromised the Axios npm package on 31 March 2026, inserting a cross-platform remote access trojan into one of JavaScript's most widely…
April 22, 2026 