Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
Trigona ransomware affiliates have adopted a custom-developed exfiltration tool called uploader_client.exe in attacks observed during March 2026, marking a significant tactical evolution. This command-line utility features parallel data streams, connection rotation to evade network monitoring, and granular file filtering capabilities. The shift from commonly used off-the-shelf tools like Rclone to proprietary malware suggests attackers are attempting to maintain a lower profile during critical attack phases. Prior to data exfiltration, attackers deploy multiple security-disabling tools including HRSword, PCHunter, and various BYOVD utilities to terminate endpoint protection at the kernel level. Remote access is established through AnyDesk, while credential theft is conducted using Mimikatz and Nirsoft utilities. This custom tooling approach demonstrates a higher degree of technical maturity compared to typical ransomware affiliate operations.
AI Analysis
Technical Summary
The Trigona ransomware affiliate group has shifted to using a custom-built exfiltration tool, uploader_client.exe, which enhances their data theft capabilities through features such as parallel data streams and connection rotation to avoid network monitoring. Prior to exfiltration, the attackers deploy multiple kernel-level security-disabling tools (HRSword, PCHunter, BYOVD utilities) to terminate endpoint protection. Remote access is established using AnyDesk, and credential theft is conducted with Mimikatz and Nirsoft utilities. This custom tooling replaces previously used off-the-shelf tools like Rclone, indicating a strategic move to reduce detection and increase operational stealth. The attack chain demonstrates advanced tactics including kernel driver abuse and multiple credential and process manipulation techniques.
Potential Impact
The use of a custom exfiltration tool with advanced evasion features allows Trigona affiliates to steal data more efficiently and stealthily. Disabling endpoint protection at the kernel level increases the likelihood of successful data theft and persistence. Credential theft tools facilitate lateral movement and further compromise. Although no direct ransomware deployment details are provided here, the exfiltration phase supports extortion and data leak threats. There are no known exploits in the wild for this specific tool, but the increased sophistication raises the risk profile of Trigona ransomware campaigns.
Mitigation Recommendations
No official patch or remediation is available as this is a threat actor toolset rather than a software vulnerability. Defenders should focus on detecting and blocking the use of known tools such as HRSword, PCHunter, Mimikatz, and AnyDesk in unauthorized contexts. Monitoring for kernel-level security disabling activities and unusual network connections consistent with uploader_client.exe behavior is recommended. Endpoint detection and response solutions should be tuned to identify these tactics. Since this is a custom tool, signature-based detection may be limited; behavioral and heuristic detection methods are advised.
Indicators of Compromise
- hash: e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173
- hash: 816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019
- hash: 7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26
- hash: 598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a
- hash: 746710470586076bb0757e0b3875de9c90202be2
- hash: 2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32
- hash: 205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964
- hash: 1dfe0e65f3fb60ee4e46cf8125ad67ca
- hash: fae1061813f2148296767d28262d2c25
- hash: c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4
- hash: 8f2fde9aa0eb6f6c83c30608061691cc
- hash: b3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4
- hash: c73e71825adbfb9821b9fa6e8672903c
- hash: 31b827dad64b2dd881b9f0ceb012e0ac6885492c
- hash: 274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf
- hash: f3d20449bab41301aefad304cb02773b
- hash: 73f8e5c17b49b9f2703fed59cc2be77239e904f7
- hash: c41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc
- hash: bd48322845f8930e58e038dfd4e1e243e80a6b76
- hash: 99c4401366ad7e561ce3ac8e5bb9a7a8144aa3ea
- hash: 97e045bc056b5f68f18ea4fbbb9cc64a
- hash: 207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9
- hash: 8729815f87f4186fd46d52418c1b7ae2a54aebcf
- hash: 6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc
- hash: fc3b93e042de5fa569a8379d46bce506
- hash: 1ba499bafaa369be58e795a150403c8729ef5d95
- hash: 5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd
- hash: 58bb9dab4e9b3aa2fd1e7a7b17d2eeb1
- hash: 23516ea1f2cc771f705807c2fc7d163e
- hash: ab06eeb603656d3943cd30396f82a45f
- hash: d611f824074a57e7fd1d08341edeb559
- hash: 1a12519bdeb372e8b1836d78ec61617bbac166aa
- hash: 4df0949f634c4d74a7e1cc48b6575f9a27dc21c9
- hash: b67a2f9d9de2135617caea8d4a7488e2a962e3e2
- hash: e43d7a6ad722d285813afb9eefe53d264af6948b
- hash: 0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac
- hash: 0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068
- hash: 1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5
- hash: 1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd
- hash: 35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f671
- hash: 396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc
- hash: 48f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765
- hash: 49a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be
- hash: 4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0
- hash: 4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b5
- hash: 647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fc
- hash: 6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b
- hash: 6bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb
- hash: 6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a
- hash: 72fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d
- hash: 73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d7
- hash: 771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344e
- hash: 87bf4b152d9548f415f12f353f988b5442729e7f24e2902ddfd0baa4a944354a
- hash: 8a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b0
- hash: 99c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d1744189
- hash: a18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb8
- hash: b066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9
- hash: c64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4
- hash: d4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff
- hash: d833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888
- hash: df5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c58809
- hash: eee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf
- hash: f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb
- hash: f5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
Description
Trigona ransomware affiliates have adopted a custom-developed exfiltration tool called uploader_client.exe in attacks observed during March 2026, marking a significant tactical evolution. This command-line utility features parallel data streams, connection rotation to evade network monitoring, and granular file filtering capabilities. The shift from commonly used off-the-shelf tools like Rclone to proprietary malware suggests attackers are attempting to maintain a lower profile during critical attack phases. Prior to data exfiltration, attackers deploy multiple security-disabling tools including HRSword, PCHunter, and various BYOVD utilities to terminate endpoint protection at the kernel level. Remote access is established through AnyDesk, while credential theft is conducted using Mimikatz and Nirsoft utilities. This custom tooling approach demonstrates a higher degree of technical maturity compared to typical ransomware affiliate operations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Trigona ransomware affiliate group has shifted to using a custom-built exfiltration tool, uploader_client.exe, which enhances their data theft capabilities through features such as parallel data streams and connection rotation to avoid network monitoring. Prior to exfiltration, the attackers deploy multiple kernel-level security-disabling tools (HRSword, PCHunter, BYOVD utilities) to terminate endpoint protection. Remote access is established using AnyDesk, and credential theft is conducted with Mimikatz and Nirsoft utilities. This custom tooling replaces previously used off-the-shelf tools like Rclone, indicating a strategic move to reduce detection and increase operational stealth. The attack chain demonstrates advanced tactics including kernel driver abuse and multiple credential and process manipulation techniques.
Potential Impact
The use of a custom exfiltration tool with advanced evasion features allows Trigona affiliates to steal data more efficiently and stealthily. Disabling endpoint protection at the kernel level increases the likelihood of successful data theft and persistence. Credential theft tools facilitate lateral movement and further compromise. Although no direct ransomware deployment details are provided here, the exfiltration phase supports extortion and data leak threats. There are no known exploits in the wild for this specific tool, but the increased sophistication raises the risk profile of Trigona ransomware campaigns.
Mitigation Recommendations
No official patch or remediation is available as this is a threat actor toolset rather than a software vulnerability. Defenders should focus on detecting and blocking the use of known tools such as HRSword, PCHunter, Mimikatz, and AnyDesk in unauthorized contexts. Monitoring for kernel-level security disabling activities and unusual network connections consistent with uploader_client.exe behavior is recommended. Endpoint detection and response solutions should be tuned to identify these tactics. Since this is a custom tool, signature-based detection may be limited; behavioral and heuristic detection methods are advised.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.security.com/blog-post/trigona-exfiltration-custom"]
- Adversary
- Rhantus
- Pulse Id
- 69ea2ebf9d87464f7c54c08e
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashe8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 | — | |
hash816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019 | — | |
hash7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26 | — | |
hash598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a | — | |
hash746710470586076bb0757e0b3875de9c90202be2 | — | |
hash2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32 | — | |
hash205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964 | — | |
hash1dfe0e65f3fb60ee4e46cf8125ad67ca | — | |
hashfae1061813f2148296767d28262d2c25 | — | |
hashc7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4 | — | |
hash8f2fde9aa0eb6f6c83c30608061691cc | — | |
hashb3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4 | — | |
hashc73e71825adbfb9821b9fa6e8672903c | — | |
hash31b827dad64b2dd881b9f0ceb012e0ac6885492c | — | |
hash274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf | — | |
hashf3d20449bab41301aefad304cb02773b | — | |
hash73f8e5c17b49b9f2703fed59cc2be77239e904f7 | — | |
hashc41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc | — | |
hashbd48322845f8930e58e038dfd4e1e243e80a6b76 | — | |
hash99c4401366ad7e561ce3ac8e5bb9a7a8144aa3ea | — | |
hash97e045bc056b5f68f18ea4fbbb9cc64a | — | |
hash207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9 | — | |
hash8729815f87f4186fd46d52418c1b7ae2a54aebcf | — | |
hash6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc | — | |
hashfc3b93e042de5fa569a8379d46bce506 | — | |
hash1ba499bafaa369be58e795a150403c8729ef5d95 | — | |
hash5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd | — | |
hash58bb9dab4e9b3aa2fd1e7a7b17d2eeb1 | — | |
hash23516ea1f2cc771f705807c2fc7d163e | — | |
hashab06eeb603656d3943cd30396f82a45f | — | |
hashd611f824074a57e7fd1d08341edeb559 | — | |
hash1a12519bdeb372e8b1836d78ec61617bbac166aa | — | |
hash4df0949f634c4d74a7e1cc48b6575f9a27dc21c9 | — | |
hashb67a2f9d9de2135617caea8d4a7488e2a962e3e2 | — | |
hashe43d7a6ad722d285813afb9eefe53d264af6948b | — | |
hash0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac | — | |
hash0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068 | — | |
hash1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5 | — | |
hash1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd | — | |
hash35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f671 | — | |
hash396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc | — | |
hash48f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765 | — | |
hash49a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be | — | |
hash4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0 | — | |
hash4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b5 | — | |
hash647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fc | — | |
hash6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b | — | |
hash6bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb | — | |
hash6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a | — | |
hash72fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d | — | |
hash73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d7 | — | |
hash771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344e | — | |
hash87bf4b152d9548f415f12f353f988b5442729e7f24e2902ddfd0baa4a944354a | — | |
hash8a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b0 | — | |
hash99c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d1744189 | — | |
hasha18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb8 | — | |
hashb066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9 | — | |
hashc64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4 | — | |
hashd4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff | — | |
hashd833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888 | — | |
hashdf5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c58809 | — | |
hasheee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf | — | |
hashf27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb | — | |
hashf5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c | — |
Threat ID: 69eb327b87115cfb680bf4ce
Added to database: 4/24/2026, 9:06:03 AM
Last enriched: 4/24/2026, 9:21:17 AM
Last updated: 4/25/2026, 5:44:54 AM
Views: 26
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.