Trigona ransomware uploader_client.exe exfiltration activity
Malware Activity
Summary
Hide ▲
Show ▼
Trigona ransomware is now using uploader_client.exe to steal data from compromised environments faster, making exfiltration more efficient and harder to spot. The tool was seen in March attacks tied to a gang affiliate and appears designed to reduce reliance on public utilities such as Rclone and MegaSync. It supports five simultaneous connections per file, rotates TCP connections after 2GB of traffic, and can selectively avoid low-value media files. In one observed case, it stole high-value documents including invoices and PDFs from network drives.
Related Happenings
Akira group rapid double-extortion ransomware activity
Malware Activity
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityAbout this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Speagle malware abusing Cobra DocGuard infrastructure
Malware Activity
First: 19.03.2026 21:16
Last: 19.03.2026 21:16
Sources 1
About this happening:
The **Speagle** malware is now being used to **harvest sensitive information** from infected systems and hide exfiltration inside **Cobra DocGuard** traffic, increasing the risk o...
Speagle malware abusing Cobra DocGuard infrastructure
Malware ActivityAbout this happening: The **Speagle** malware is now being used to **harvest sensitive information** from infected systems and hide exfiltration inside **Cobra DocGuard** traffic, increasing the risk o...
Warlock ransomware post-exploitation tooling upgrades
Malware Activity
First: 17.03.2026 17:36
Last: 17.03.2026 17:36
Sources 1
About this happening:
The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Warlock ransomware post-exploitation tooling upgrades
Malware ActivityAbout this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
CL-UNK-1068 years-long espionage campaign targeting Asian organizations
Campaign
First: 09.03.2026 09:21
Last: 09.03.2026 09:21
Sources 1
About this happening:
A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...
CL-UNK-1068 years-long espionage campaign targeting Asian organizations
CampaignAbout this happening: A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...
Mustang Panda multi-country espionage campaign against government and telecom targets
Campaign
First: 28.01.2026 13:40
Last: 28.01.2026 13:40
Sources 1
About this happening:
A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Mustang Panda multi-country espionage campaign against government and telecom targets
CampaignAbout this happening: A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Timeline
-
23.04.2026 21:59 2 articles · 1mo ago
Symantec discloses Trigona's custom uploader_client.exe exfiltration activity
Initial DisclosureSymantec observed recent March Trigona ransomware attacks using the custom command-line tool uploader_client.exe to move data out of compromised environments faster and with less visibility than public tools such as Rclone and MegaSync. The same activity included HRSword as a kernel driver service, additional utilities such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd to disable security products, PowerRun for elevated execution, AnyDesk for direct remote access, and Mimikatz plus Nirsoft for credential theft and password recovery.
Show sources
- Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59
- Trigona ransomware attacks use custom exfiltration tool to steal data — www.bleepingcomputer.com — 23.04.2026 21:59