Trigona Ransomware Adopts Custom Tool to Steal Data and Evade Detection
The Trigona ransomware-as-a-service (RaaS) group, linked to the Rhantus cybercrime umbrella, has begun using a privately-built exfiltration tool instead of common utilities like Rclone and MegaSync. The new “uploader_client.exe” client helps Trigona move data quickly, rotate connections to hide from network monitoring, and maintain a lower profile during the high-stakes theft phase.
Incident Analysis — In the world of double-extortion ransomware, the moment of data theft is the most sensitive part of the operation. If a defender catches the exfiltration, they can kill the attack before the final encryption payload ever drops.
To lower this risk, the Trigona ransomware group has officially moved away from commodity software. Recent investigations by Symantec and other researchers reveal that Trigona affiliates are now deploying a custom-built utility, often identified as uploader_client.exe. This shift signals a major evolution in RaaS operations: top-tier groups are no longer just developers of "lockers"; they are becoming sophisticated providers of specialized data-theft infrastructure.
The Anatomy of a Custom "Uploader"
Previously, ransomware groups relied on off-the-shelf tools like Rclone, MegaSync, or FileZilla. While effective, these tools are now heavily flagged by Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) rules. Trigona’s new custom tool is designed specifically to bypass these modern tripwires.
Key Technical Capabilities:
- Parallel Connectivity: The tool supports five parallel connections per file. By saturating available bandwidth, Trigona can exfiltrate massive datasets significantly faster than standard cloud-sync utilities.
- Connection Rotation: To evade network-behavioral analytics that look for long-lived, high-volume sessions to a single IP, the tool automatically rotates TCP connections after every 2GB of traffic.
- Selective Filtering: Unlike "dump everything" scripts, this tool can filter files by extension. Attackers can prioritize high-value targets like PDFs, .docx, and .xlsx (invoices, legal docs, and financial records) while ignoring large, low-value media files.
- Access Control: The tool requires a hardcoded authentication key, ensuring that only authorized Trigona operators can access the C2 server where the stolen data is staged.
The "Environment Prep" Phase: Kernel Driver Abuse
Trigona’s use of custom exfiltration tools is preceded by a brutal "environment preparation" phase. Before the theft begins, attackers have been observed disabling endpoint protection suites using kernel-driver-abuse paths. By deploying utilities like the Huorong HRSword driver, PCHunter, or Gmer, the attackers effectively blind the EDR before the custom uploader ever touches the disk.
This combination of kernel-driver-abuse and custom tooling creates a "stealth window" that allows affiliates to operate with relative impunity during the most critical hours of the breach.
The CyberSignal Analysis: Strategic Signals
Signal 01 — The Industrialization of Exfiltration
Data theft is no longer a side-job for ransomware actors; it is a core module of the RaaS platform. By providing affiliates with proprietary tools like uploader_client.exe, Trigona is ensuring that its "brand" of extortion is faster and more reliable than groups using noisy, public tools.
Signal 02 — Behavioral Defense is the New Baseline
As attackers move toward custom, signature-less tooling, "blocking known apps" is becoming an obsolete strategy. Defenders must shift their focus to detecting anomalous network behaviors — such as the 2GB connection-rotation pattern — and monitoring for unauthorized kernel driver installations.
Signal 03 — The Evolution of Double-Extortion
Selective filtering shows that Trigona is refining the "double-extortion" model. They are becoming more surgical — stealing only what is necessary to ruin a victim's reputation or legal standing, while using the encryption phase to maximize operational chaos.
