Trigona ransomware attackers use novel tool for data exfiltration

Trigona ransomware affiliates are using a novel, custom tool for data exfiltration, breaking away from a trend of attackers using publicly available tools for data theft, Symantec and Carbon Black, part of Broadcom, reported Thursday.

Trigona is a ransomware-as-a-service (RaaS) group that first emerged in 2022 and uses double-extortion tactics. Files encrypted by Trigona ransomware receive the “._locked” extension and the group typically seeks ransom payments in Monero cryptocurrency.

Despite claims the group was dismantled by a Ukrainian hacktivist group in October 2023, Trigona affiliates continue to conduct attacks and the operation established a new leak site after the original one was compromised, according to Acronis. The ransomware targets both Windows and Linux machines.

In March 2026, Trigona affiliates began using a new custom tool called uploader_client.exe to facilitate data exfiltration, moving away from a previous history of using publicly available tools to steal data before encryption.

Trigona attackers are previously known to use the open-source tool Rclone to exfiltrate victim files to the cloud service pCloud, as reported by Merabytes in 2023. “Off-the-shelf” file migration tools like Rclone and MEGAsync, while not inherently malicious, are popular among ransomware groups due to their ease of use and ready availability.

“Many publicly available tools are now so well known they may be flagged by security solutions. It is possible that the attackers are investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks,” the researchers said.

The novel tool combines speed, evasion and granular control of document types to be exfiltrated. A command-line utility, uploader_client.exe enables five parallel data transfer streams per file by default, enabling rapid exfiltration of files to a hardcoded remote server.

The utility rotates the TCP connection for every 2,048 MB of data sent by default, potentially avoiding flagging of any one IP address by network monitoring solutions, and uses a shared key to authenticate to the attacker server, preventing unauthorized access to the stolen data.  

An “--exclude-ext” flag can be used by the attackers to exclude exfiltration of specific low-priority file types such as audio or video files. Researchers observed one case where folders containing invoices and PDFs were specifically targeted.

Prior to deployment of the custom uploader, Trigona attackers attempted to disable security tools by installing the legitimate Huorong Network Security Suite tool HRSword as the primary kernel driver service, the researchers said. A toolkit including PCHunter, Gmer, YDark, WKTools, DumpGuard and StpProcessMonitorByovd was used in the security killing process, which included bring your own vulnerable driver (BYOVD) techniques. The freeware utility PowerRun was used to run these tools with elevated privileges.

Trigona also used the popular open-source credential stealer Mimikatz, Nirsoft password recovery utilities and the AnyDesk remote access software to facilitate the attack.

While the threat actor still relies on some common and publicly available tools in its attack chain, the researchers say the use of a custom uploader points to a more technically mature attacker.

“The use of custom tooling in the ransomware landscape is a double-edged sword for attackers. While it requires development resources and time, these tools can provide a level of stealth that generic tools cannot match, at least until they’re discovered,” the researchers concluded.