A Familiar Threat Returns With New Capabilities
Researchers at cybersecurity firm Symantec have documented a fresh wave of Trigona ransomware attacks, this time featuring a bespoke data-exfiltration utility designed to operate more efficiently and with a far lower detection footprint than off-the-shelf alternatives. The attacks were observed in March 2026 and have been attributed to a gang affiliate operating within the broader Trigona ecosystem.
The choice to build a proprietary tool rather than repurpose widely available solutions is telling. According to Symantec, the shift suggests the attacker is
"investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks."Tools such as Rclone and MegaSync are routinely flagged by endpoint security products, making custom alternatives increasingly attractive to ransomware affiliates seeking to stay under the radar.
Inside the Custom Exfiltration Utility
The tool has been identified as uploader_client.exe and is engineered for both speed and stealth. It connects to a hardcoded server address and incorporates several performance and evasion features that set it apart from generic exfiltration methods.
- Parallel uploads: The utility supports five simultaneous connections per file, dramatically accelerating the rate at which data can be siphoned from a compromised network.
- Connection rotation: TCP connections are rotated after every 2GB of traffic, a technique designed to evade network monitoring solutions that track long-lived or high-volume connections.
- Selective file targeting: Operators can configure the tool to focus on specific file types, deliberately skipping large, low-value media files to prioritize documents that carry the greatest extortion leverage.
- Authentication key protection: Access to the stolen data on the remote server is gated by an authentication key, preventing outsiders from accessing exfiltrated material even if they discover the server address.
In at least one documented incident, the exfiltration tool was used specifically to harvest high-value documents — including invoices and PDF files — stored on network drives.
Background: Trigona's History and Resurgence
Trigona ransomware first emerged in October 2022 as a double-extortion operation, demanding ransom payments exclusively in Monero cryptocurrency. The group suffered a significant blow in October 2023, when Ukrainian cyber activists hacked its infrastructure, stealing internal data including source code and database records. That action was widely seen as a potentially fatal disruption to the operation.
However, Symantec's latest report makes clear that Trigona's threat actors have resumed operations, indicating a level of resilience uncommon among ransomware groups that have suffered such direct infrastructure compromise.
Attack Chain: Disabling Defenses Before Deploying Ransomware
Symantec's analysis of recent Trigona intrusions reveals a methodical approach to neutralizing endpoint defenses before the ransomware payload is ever executed.
Kernel-Level Driver Abuse
In the observed attacks, the threat actors installed HRSword, a kernel driver service that is part of the legitimate Huorong Network Security Suite. This was followed by the deployment of a suite of additional utilities specifically chosen for their ability to terminate or disable security software.
The disabling tools included: PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd. As Symantec noted, "Many of these leveraged vulnerable kernel drivers to terminate endpoint protection processes" — a technique commonly referred to as Bring Your Own Vulnerable Driver (BYOVD).
Privilege Escalation and Remote Access
Several of the malicious utilities were launched using PowerRun, a legitimate product capable of executing applications, executables, and scripts with elevated privileges. This allowed the attackers to bypass user-mode protections that might otherwise block their tools.
For persistent remote access to breached systems, the attackers leveraged AnyDesk, a popular remote desktop application frequently abused in ransomware campaigns. Credential theft and password recovery operations were carried out using Mimikatz and a selection of Nirsoft utilities.
Detection and Mitigation
Symantec has published a list of indicators of compromise (IoCs) associated with the latest round of Trigona activity at the bottom of its report. Organizations are encouraged to ingest these IoCs into their security tooling to enable timely detection and blocking of ongoing or future intrusion attempts.
The resurgence of Trigona — now armed with a custom exfiltration framework — underscores the adaptability of ransomware operations even after significant disruptions, and highlights the growing trend of affiliates investing in purpose-built tools to avoid triggering commodity security controls.
Source: BleepingComputer