Tactical Evolution: Trigona Ransomware Debuts Custom Exfiltration Armory

The ransomware landscape is witnessing a sophisticated shift in how data is stolen. While most cybercriminal groups are content using common utilities like Rclone or MegaSync, the Trigona ransomware group—operated by the Rhantus syndicate—has begun deploying a proprietary, high-performance data theft tool.

Recent attacks in March 2026 reveal that Trigona affiliates are moving away from well-known public tools that are easily flagged by security solutions, opting instead for a custom-built utility dubbed uploader_client.exe.

This new command-line utility isn’t just a simple file transfer script; it is a highly optimized engine designed to bypass modern network monitoring.

Key features discovered in the analysis include:

• Parallel Streaming: To saturate available bandwidth, the tool defaults to five parallel connections per file, ensuring rapid data transfer.
• Connection Rotation: After sending a specific volume of data (defaulting to 2,048 MB), the tool rotates the TCP connection. As the report notes, “This technique is likely intended to evade network traffic monitoring that triggers on long-lived, high-volume connections to a single IP address”.
• Granular Filtering: Attackers can specifically ignore “bulky, low-value” files like .mp3 or .mp4 using an –exclude-ext flag, allowing them to focus strictly on high-priority documents like invoices and PDFs.
• Integrated Authentication: A shared key is used to verify the client with the attacker’s server, preventing researchers or unauthorized parties from accessing the stolen data.

The deployment of this custom uploader is rarely a standalone event. The Threat Hunter Team observed that attackers systematically “kill” security software before beginning the theft.

The group has been seen installing the Huorong Network Security Suite (HRSword) as a kernel driver service. By leveraging vulnerable kernel drivers through tools like PCHunter, Gmer, and YDark, the attackers bypass standard protections.

“By operating at the kernel level, these tools can bypass standard user-mode protections to disable security software effectively,” the report explains.

Once defenses are neutralized, the attackers use AnyDesk for remote access and Mimikatz to harvest the credentials needed to move laterally through the network.

The development of bespoke exfiltration tools marks a significant milestone in an attacker’s technical maturity. While proprietary malware requires significant time and resources to build, it offers a level of stealth that generic toolkits simply cannot match—at least until security researchers tear them apart.