Ransomware , Threat Management , Threat Intelligence , Data Security Trigona ransomware attackers use novel tool for data exfiltration April 24, 2026 Share By Laura French Trigona ransomware affiliates are using a novel, custom tool for data exfiltration, breaking away from a trend of attackers using publicly available tools for data theft, Symantec and Carbon Black, part of Broadcom, reported Thursday . Trigona is a ransomware-as-a-service (RaaS) group that first emerged in 2022 and uses double-extortion tactics. Files encrypted by Trigona ransomware receive the “._locked” extension and the group typically seeks ransom payments in Monero cryptocurrency. Despite claims the group was dismantled by a Ukrainian hacktivist group in October 2023, Trigona affiliates continue to conduct attacks and the operation established a new leak site after the original one was compromised, according to Acronis . The ransomware targets both Windows and Linux machines. In March 2026, Trigona affiliates began using a new custom tool called uploader_client.exe to facilitate data exfiltration, moving away from a previous history of using publicly available tools to steal data before encryption. Trigona attackers are previously known to use the open-source tool Rclone to exfiltrate victim files to the cloud service pCloud, as reported by Merabytes in 2023. “Off-the-shelf” file migration tools like Rclone and MEGAsync, while not inherently malicious, are popular among ransomware groups due to their ease of use and ready availability. “Many publicly available tools are now so well known they may be flagged by security solutions. It is possible that the attackers are investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks,” the researchers said. The novel tool combines speed, evasion and granular control of document types to be exfiltrated. A command-line utility, uploader_client.exe enables five parallel data transfer streams per file by default, enabling rapid exfiltration of files to a hardcoded remote server. The utility rotates the TCP connection for every 2,048 MB of data sent by default, potentially avoiding flagging of any one IP address by network monitoring solutions, and uses a shared key to authenticate to the attacker server, preventing unauthorized access to the stolen data. An “--exclude-ext” flag can be used by the attackers to exclude exfiltration of specific low-priority file types such as audio or video files. Researchers observed one case where folders containing invoices and PDFs were specifically targeted. Prior to deployment of the custom uploader, Trigona attackers attempted to disable security tools by installing the legitimate Huorong Network Security Suite tool HRSword as the primary kernel driver service, the researchers said. A toolkit including PCHunter, Gmer, YDark, WKTools, DumpGuard and StpProcessMonitorByovd was used in the security killing process, which included bring your own vulnerable driver (BYOVD) techniques. The freeware utility PowerRun was used to run these tools with elevated privileges. Trigona also used the popular open-source credential stealer Mimikatz, Nirsoft password recovery utilities and the AnyDesk remote access software to facilitate the attack. While the threat actor still relies on some common and publicly available tools in its attack chain, the researchers say the use of a custom uploader points to a more technically mature attacker. “The use of custom tooling in the ransomware landscape is a double-edged sword for attackers. While it requires development resources and time, these tools can provide a level of stealth that generic tools cannot match, at least until they’re discovered,” the researchers concluded. An In-Depth Guide to Ransomware Get essential knowledge and practical strategies to protect your organization from ransomware attacks. Learn More Laura French Related AI/ML AI-assisted phishing attacks on the rise, report finds SC Staff April 23, 2026 Cisco's Talos threat intelligence report found that attackers are increasingly using AI tools to boost their phishing attacks, which is the most common initial access method by hackers in the first quarter of 2026, reports Cybersecurity Dive. Threat Intelligence Over $12M stolen in North Korean crypto heist against web developers SC Staff April 23, 2026 North Korean threat operation HexagonalRodent, which is associated with the state-backed Famous Chollima, has exfiltrated up to $12 million worth of cryptocurrency from Web3 developers between January and March, according to The Record, a news site by cybersecurity firm Recorded Future. Malware Mustang Panda expands cyber espionage to India’s financial sector and South Korean politics SC Staff April 23, 2026 China-linked hacking group Mustang Panda has broadened its cyber espionage operations, now targeting India's financial sector and political circles in South Korea. Related Events Cybercast Ransomware reloaded: Finding resilience when attackers wield AI Wed May 13 Virtual Conference Ransomware Resilience: Strategies to Defend, Mitigate, and Recover On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Block Cipher Brute Force Ciphertext Corruption Covert Channels Cryptographic Hash Functions Cyclic Redundancy Check (CRC) Darknet Information Warfare Reconnaissance You can skip this ad in 5 seconds