Trigona Ransomware Attacks Use Custom Exfiltration Tool to Steal Data

Ransomware operators have long relied on publicly available utilities like Rclone to siphon data, but those tools often trigger existing security controls. By engineering a proprietary exfiltration client, the Trigona gang demonstrates a strategic shift toward stealthier, purpose‑built malware. This evolution mirrors a broader trend where threat actors invest in custom code to evade signature‑based defenses and reduce the noise that alerts security teams. The uploader_client.exe’s ability to multiplex five connections per file and rotate after a 2 GB threshold illustrates a focus on speed without sacrificing evasion, allowing attackers to harvest valuable documents before victims can respond.

Technical analysis of the uploader_client.exe reveals several layers of sophistication. Parallel uploads dramatically cut exfiltration time, while the built‑in TCP rotation thwarts volume‑based anomaly detection. Selective file‑type filtering ensures that only high‑value assets—such as invoices, PDFs, and proprietary spreadsheets—are exfiltrated, conserving bandwidth and avoiding the red flags associated with large media transfers. Coupled with a hard‑coded server address and an authentication key, the tool creates a closed loop that limits exposure to third‑party interception. The broader intrusion chain—leveraging the HRSword kernel driver, PowerRun for privilege escalation, AnyDesk for remote control, and credential‑dumping utilities like Mimikatz—underscores a multi‑stage approach designed to neutralize endpoint protection before data theft begins.

For defenders, the resurgence of Trigona with a custom exfiltration module underscores the need for adaptive detection strategies. Traditional signatures for known exfil tools are insufficient; instead, behavioral analytics that monitor anomalous parallel connections, sudden spikes in outbound traffic, and unusual file‑type access patterns become critical. Symantec’s release of fresh indicators of compromise provides a starting point, but organizations must integrate threat‑intel feeds into SIEM and EDR platforms to surface these nuanced behaviors. As ransomware groups continue to refine proprietary tools, proactive threat hunting and continuous tuning of network baselines will be essential to mitigate the heightened risk of double‑extortion campaigns.