The Trigona ransomware first surfaced in late 2022 and operates under a Ransomware-as-a-Service (RaaS) model, managed by a cybercrime group known as Rhantus.
For years, many ransomware groups depended on publicly available utilities such as Rclone or MegaSync to move stolen data. Those tools, while effective, have become widely recognized by security vendors, making them easier to detect.
The shift toward a purpose-built tool signals that the attackers are growing more technically capable and more deliberate in how they conduct their operations.
Symantec’s Threat Hunter Team identified the attacks in March 2026 and noted that this change in tactics represents a meaningful development in the Trigona group’s behavior.
The researchers observed that the attackers appear to be investing significant time and resources into developing proprietary malware, likely to maintain a lower profile during the most sensitive phase of their attack: stealing the data.
This kind of technical investment is relatively rare among ransomware affiliates, most of whom prefer the speed and convenience of off-the-shelf solutions.
The custom tool, named “uploader_client.exe,” is a command-line utility that connects to a hardcoded attacker-controlled server.
In one confirmed incident, the tool was used to target folders holding financial invoices and high-value PDF documents stored on networked drives.
This level of targeting shows that the group knows exactly what kind of data carries the most value and is building tools specifically around extracting it.
The broader impact of this development goes beyond a single ransomware campaign. It shows that some threat actors are willing to invest in research and development, treating cybercrime operations with the same structure and discipline as a legitimate software project.
Organizations across industries that handle sensitive financial records or confidential documents are at heightened risk as these tools grow more sophisticated and harder to detect.
Before deploying the custom uploader, the attackers took deliberate steps to strip away the target’s defenses.
They installed HRSword, a kernel driver component of the Huorong Network Security Suite, and repurposed it as a tool to disable security software on the victim’s machine.
Alongside HRSword, several other tools were deployed, including PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitor BYOVD.
Many of these tools exploit vulnerable kernel drivers to terminate endpoint protection processes, bypassing standard user-mode defenses by operating at the deepest level of the operating system.
Remote access to infected machines was established through AnyDesk, a legitimate remote desktop application.
To further their foothold, the attackers used Mimikatz and a collection of Nirsoft password recovery utilities to harvest credentials stored in browsers and applications.
PowerRun was used to execute several of these tools with elevated system privileges, giving the attackers administrative-level access throughout the attack chain.
The uploader_client.exe tool itself is engineered for both speed and stealth. It defaults to five parallel connections per file to maximize transfer speed, rotates TCP connections after every 2,048 MB of data to avoid triggering network monitoring systems, and uses an “–exclude-ext” flag to skip low-priority media files like videos and audio, focusing only on high-value documents.
A shared authentication key also prevents unauthorized parties from accessing the stolen data once it reaches the attacker’s server.
Organizations are strongly advised to monitor for unauthorized use of remote access tools like AnyDesk in their environments.
Endpoint detection systems should be configured to flag kernel-level driver activity from tools such as PCHunter or Gmer.
Keeping endpoint protection software current is essential, and network traffic monitoring should be set to detect unusual high-volume or rapidly rotating outbound connections.
Reviewing and restricting access to sensitive document folders on networked drives can also reduce the risk of targeted exfiltration attempts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Ransomware Hackers Develop Custom Exfiltration Tool to Steal Sensitive Data appeared first on Cyber Security News.
Blizzard has formally apologized to fans, acknowledging its latest World of Warcraft patch "was not…
Clair Obscur: Expedition 33 is celebrating the first anniversary of its release with a free…
The post A Secretive AI Hacking System Has Sparked A Global Scramble appeared first on…
The post Microsoft Offers Its First Buyouts To Shape Workforce Around AI Push appeared first…
The post Tech Leaders Celebrated At 15th Annual Women In Technology Awards appeared first on TV…
The post NBCU’s Universal Production Services to Launch Solar, Off-Grid Trailer Fleet appeared first on…
This website uses cookies.