Trigona Affiliates Pivot to Proprietary Data Exfiltration Tooling
In a significant tactical shift, ransomware operators are moving away from “living off the land” with common utilities and toward the development of bespoke malware. Recent observations indicate that Trigona affiliates have deployed a custom-built data exfiltration engine, marking a professionalization of their toolkit designed to bypass modern EDR (Endpoint Detection and Response) solutions.
Historically, most Ransomware-as-a-Service (RaaS) actors have relied on legitimate, publicly available synchronization tools like Rclone or MegaSync to move stolen data to cloud storage. While effective, these tools possess well-known signatures and behavioral patterns that are easily flagged by security operations centers (SOCs). The transition to a proprietary binary signals a higher tier of technical maturity within the Trigona ecosystem, which is closely linked to the Rhantus cybercrime group.
The activity was observed in attacks carried out in March 2026. During forensic analysis, researchers identified a previously undocumented command-line utility, uploader_client.exe, which establishes direct communication with a hardcoded, attacker-controlled Command and Control (C2) server.
Technical Analysis: High-Efficiency Exfiltration
Deep-dive analysis of the uploader_client.exe binary reveals an architecture optimized for speed, stealth, and data integrity. Unlike standard file transfer protocols, this tool implements several sophisticated features to maintain a low profile while maximizing throughput:
- Multi-threaded Parallelism: The engine utilizes up to five simultaneous connections per file. By splitting data streams, attackers can saturate available bandwidth to complete exfiltration before a manual response can be mounted.
- Dynamic Connection Rotation: To evade network traffic analysis that flags long-lived, high-volume TCP sessions, the tool automatically rotates connections after transferring approximately 2,048 MB of data. This “bursty” traffic pattern mimics legitimate web activity more closely.
- Granular Data Targeting: The utility features a specific
--exclude-extparameter. This allows operators to programmatically bypass high-volume/low-value file types (such as .mp4 or .wav) and focus strictly on high-value intellectual property and financial documentation. - Cryptographic Authentication: The tool employs a shared authentication key, ensuring that the receiving C2 server only accepts data from authorized clients, effectively preventing security researchers from “poisoning” the stolen data repository.
In documented incidents, the targeting was surgical; attackers bypassed generic directories to focus specifically on network drives containing high-value PDFs and invoice repositories, indicating a clear objective of financial extortion.
Defense Evasion and Privilege Escalation
The deployment of the exfiltration tool is merely the final stage of a complex compromise. Before the data theft began, attackers executed a comprehensive “defense neutralization” phase. A notable tactic involved the installation of the Huorong Network Security Suite (HRSword) as a kernel driver service. By leveraging a legitimate security tool, they achieved deep, system-level access that could be used to blind existing monitoring agents.
The attackers further utilized a suite of specialized tools to manipulate the operating system kernel, including:
- PCHunter and Gmer for deep kernel manipulation.
- YDark and WKTools for process manipulation.
- StpProcessMonitorByovd to leverage vulnerable drivers (Bring Your Own Vulnerable Driver – BYOVD) to terminate endpoint protection processes.
To ensure these tools operated with maximum impact, PowerRun was utilized to achieve elevated privileges, effectively stripping the OS of its ability to defend itself from the incoming payload.
The Strategic Shift: Why Custom Malware Matters
The lifecycle of these attacks typically begins with remote access via AnyDesk, followed by aggressive credential harvesting using Mimikatz and Nirsoft utilities. However, the move toward proprietary exfiltration binaries represents a broader evolutionary trend in the threat landscape.
While developing custom malware requires significant R&D investment, the ROI is found in the reduction of “noise.” By moving away from known hashes and predictable behavioral patterns, attackers can operate in the “gray zone”—the space between legitimate administrator activity and known malicious patterns. This makes traditional, signature-based detection methods increasingly obsolete.
The Bottom Line: As ransomware groups transition from “users” of tools to “developers” of tools, organizations must pivot from signature-based defense to behavioral-based detection and zero-trust architecture. Relying on the known is no longer a sufficient defense against a threat that is actively building its own way into your environment.