While many ransomware groups rely on off-the-shelf utilities such as Rclone or MegaSync to steal victim data, recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process.

The attacks, which occurred in March 2026, mark a significant shift in tactics for Trigona affiliates. The motivation for moving away from publicly available tools remains unknown. Many publicly available tools are now so well known that they may be flagged by security solutions. It is possible that the attackers are investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks.

Trigona, which first appeared in late 2022, is operated as a Ransomware-as-a-Service (RaaS) by a cybercrime group Symantec calls Rhantus. 

Technical details

The tool, which is called uploader_client.exe, is a command-line utility that communicates with a hardcoded attacker-controlled server. Analysis indicates that the tool is likely custom developed rather than publicly available.

Key performance and evasion features include:

Parallel streams: The tool defaults to five parallel connections per file, allowing for rapid data transfer that can saturate available bandwidth.

Connection rotation: It can rotate the TCP connection after a specific volume of data (defaulting to 2,048 MB) has been sent. This technique is likely intended to evade network traffic monitoring that triggers on long-lived, high-volume connections to a single IP address.

Granular filtering: Attackers can use an --exclude-ext flag to ignore bulky, low-value files such as .mp3, .mp4, or .avi files, ensuring they only steal high-priority documents.

Integrated authentication: The tool uses a shared authentication key to verify the client with the server, preventing unauthorized access to the stolen data repository.

In one observed case, the uploader was used to target folders containing invoices and high-value PDF documents stored on networked drives.

Pre-exfiltration: Impairing defenses

The deployment of the custom uploader is preceded by attempts to kill security. The attackers installed the Huorong Network Security Suite tool HRSword as a kernel driver service. Supporting this, a range of additional security-disabling tools were deployed, including: PCHunter; Gmer; YDark; WKTools, DumpGuard, and StpProcessMonitorByovd. Many of these leveraged vulnerable kernel drivers to terminate endpoint protection processes. PowerRun was used to execute some of these tools with elevated privileges. By operating at the kernel level, these tools can bypass standard user-mode protections to disable security software effectively.

The attackers gained remote access to infected machines using AnyDesk. Credential theft also occurred, using specialized tools such as Mimikatz and various password recovery utilities from Nirsoft to harvest application and browser credentials.

Rarity of custom tools

While most ransomware affiliates rely on standard toolkits involving off-the-shelf tools, the creation of a custom exfiltration tool suggests an attacker with a higher degree of technical maturity. 

The use of custom tooling in the ransomware landscape is a double-edged sword for attackers. While it requires development resources and time, these tools can provide a level of stealth that generic tools cannot match, at least until they’re discovered

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise (IOCs)

0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac - AnyDesk 

0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068 - PCHunter 

1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5 - Vulnerable driver (wktools.sys) 

1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd - PCHunter 

205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964 - Remote DesktopPassView 

207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9 - PCHunter 

274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf - PCHunter 

2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32 - PCHunter 

35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f671 - MalExtractor 

396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc - Uploader 

4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0 - PCHunter 

4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b5 - StpProcess Monitor BYOVD 

598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a - Dialup Pass 

5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd - Mailpassview 

6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b - Mimikatz 

6bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb - ParsVbs 

6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc - HRSword 

72fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d - AnyDesk 

73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d7 - AnyDesk 

771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344e - MalExtractor 

7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26 - MessengerPass 

816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019 - VNCPassView 

87bf4b152d9548f415f12f353f988b5442729e7f24e2902ddfd0baa4a944354a - DumpGuard 

8a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b0 - DumpGuard 

b066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9 - PowerRun 

b3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4 - HRSword 

c41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc - Webbrowserpassview 

c64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4 - Vulnerable driver (ke64.sys) 

c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4 - NetScan 

d4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff - YDark 

d833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888 - AnyDesk 

df5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c58809 - StartBat 

e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 - Gmer 

eee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf - HRSwordExtractor 

f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb - WKTools 

48f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765 - Suspicious file 

49a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be - CommandTxt 

647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fc - YDarkDriver 

6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a - Suspicious file 

99c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d1744189 - HRSword 

a18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb8 - Suspicious file 

f5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c – Ydark

163.172.105.82 (Port 1080) – Exfiltration command and control