Trigona ransomware deploys custom exfiltration tool to dodge detection

Trigona ransomware operators have shifted from off-the-shelf utilities like Rclone and MegaSync to a bespoke command-line tool called uploader_client.exe, according to Symantec. The move suggests affiliates are investing in proprietary tooling to evade security products that routinely flag common exfiltration utilities. The binary opens five parallel connections per file for faster uploads, rotates TCP connections every 2GB to dodge monitoring, supports selective file-type targeting to skip low-value media, and gates access to the staging server with an authentication key.

The exfiltration stage sits inside a broader kill chain that leans heavily on BYOVD techniques. Operators install the HRSword kernel driver from Huorong’s security suite, then layer on tools like PCHunter, Gmer, and DumpGuard — several of which abuse vulnerable kernel drivers — to kill endpoint protection. PowerRun is used to escalate privileges past user-mode defenses, AnyDesk provides remote access, and Mimikatz plus Nirsoft utilities handle credential theft.

Trigona launched in October 2022 as a Monero-demanding double-extortion crew and was briefly disrupted in October 2023 when Ukrainian activists breached its infrastructure and leaked source code. The current activity confirms the operation has rebuilt, and the custom tooling signals a deliberate push toward lower-profile tradecraft during the data-theft phase.