top of page
perceptive_background_267k.jpg

Trigona ransomware attacks use custom exfiltration tool to steal data

Published:

23 April 2026 at 18:59:39

Alert date:

23 April 2026 at 19:01:54

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration

Trigona ransomware operators are now using a custom command-line exfiltration tool to steal data from compromised environments more efficiently. The tool enhances their data theft capabilities during ransomware attacks, allowing for faster and more streamlined data extraction before encryption. This development represents an evolution in Trigona's attack methodology, making their operations more sophisticated and potentially more damaging to victims.

Technical details

Trigona ransomware is using a custom command-line tool named 'uploader_client.exe' for data exfiltration. The tool connects to a hardcoded server address and features: support for five simultaneous connections per file for faster parallel uploads, rotation of TCP connections after 2GB of traffic to evade monitoring, selective file type exfiltration excluding large low-value media files, and use of authentication keys to restrict access. The attack chain includes installing Huorong Network Security Suite tool HRSword as a kernel driver service, followed by deploying tools to disable security products using vulnerable kernel drivers. PowerRun is used to execute utilities with elevated privileges, AnyDesk for remote access, and Mimikatz/Nirsoft utilities for credential theft and password recovery.

Mitigation steps:

Use the indicators of compromise (IoCs) provided by Symantec at the bottom of their report for timely detection and blocking of Trigona attacks. Monitor for the use of the custom exfiltration tool 'uploader_client.exe' and watch for signs of security product disabling activities using vulnerable kernel drivers.

Affected products:

PCHunter
Gmer
YDark
WKTools
DumpGuard
StpProcessMonitorByovd
Huorong Network Security Suite
HRSword
PowerRun
AnyDesk
Mimikatz
Nirsoft utilities
Rclone
MegaSync

Related links:

https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide/
https://www.bleepingcomputer.com/news/security/ukrainian-activists-hack-trigona-ransomware-gang-wipe-servers/
https://www.security.com/threat-intelligence/trigona-exfiltration-custom

Related CVE's:

Related threat actors:

IOC's:

uploader_client.exe

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page