Trigona ransomware affiliates adopt custom exfiltration tool for efficient data theft

Timeline

1. 23.04.2026 21:59 1 articles · 2h ago

   Trigona ransomware affiliates deploy custom exfiltration tool "uploader_client.exe" in March 2026 intrusions

   Symantec observed Trigona ransomware affiliates using a proprietary command-line tool named "uploader_client.exe" for data exfiltration in March 2026 attacks. The tool supports parallel uploads, connection rotation after 2GB of traffic, selective file type exfiltration, and authentication-based access control to restrict unauthorized access to stolen data. The campaign follows prior disruptions to the Trigona operation in October 2023 and involves additional post-compromise activities, including the deployment of the Huorong HRSword kernel driver, termination of endpoint protection processes via vulnerable drivers, and credential theft using Mimikatz and Nirsoft utilities.

   Show sources

   • Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59

   Open in new tab

Information Snippets

• The custom exfiltration tool "uploader_client.exe" supports up to five simultaneous connections per file for faster parallel uploads.

  First reported: 23.04.2026 21:59
  1 source, 1 article
  Show sources

  • Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59

• The tool rotates TCP connections after 2GB of traffic to evade monitoring and includes options for selective file type exfiltration, excluding large media files.

  First reported: 23.04.2026 21:59
  1 source, 1 article
  Show sources

  • Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59

• Access to stolen data via the tool is restricted using an authentication key to limit exposure to unauthorized parties.

  First reported: 23.04.2026 21:59
  1 source, 1 article
  Show sources

  • Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59

• Threat actors deploy the Huorong Network Security Suite HRSword as a kernel driver service prior to additional tool deployment.

  First reported: 23.04.2026 21:59
  1 source, 1 article
  Show sources

  • Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59

• Attackers disable security products using vulnerable kernel drivers and execute utilities with PowerRun to bypass user-mode protections.

  First reported: 23.04.2026 21:59
  1 source, 1 article
  Show sources

  • Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59

• Tools such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd are terminated using kernel drivers.

  First reported: 23.04.2026 21:59
  1 source, 1 article
  Show sources

  • Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59

• Credential theft operations leverage Mimikatz and Nirsoft utilities, while AnyDesk is used for remote access post-compromise.

  First reported: 23.04.2026 21:59
  1 source, 1 article
  Show sources

  • Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59

• Symantec has published indicators of compromise (IoCs) associated with the latest Trigona activity to aid detection.

  First reported: 23.04.2026 21:59
  1 source, 1 article
  Show sources

  • Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59