Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
Trigona ransomware affiliates have developed and deployed a custom exfiltration tool named uploader_client. exe, observed in attacks during March 2026. This tool uses parallel data streams, connection rotation, and file filtering to evade detection and streamline data theft. Attackers disable endpoint protections at the kernel level using multiple utilities before exfiltration. Remote access and credential theft are facilitated by AnyDesk and tools like Mimikatz. This represents a more technically sophisticated approach than typical ransomware affiliate operations.
AI Analysis
Technical Summary
The Trigona ransomware affiliate group has introduced a proprietary exfiltration tool, uploader_client.exe, to replace common off-the-shelf utilities such as Rclone. This command-line tool supports parallel data streams, connection rotation to avoid network monitoring, and granular file filtering, enhancing stealth and efficiency in data theft. Prior to exfiltration, attackers deploy kernel-level security-disabling tools including HRSword, PCHunter, and BYOVD utilities to terminate endpoint protection mechanisms. Remote access is maintained via AnyDesk, while credential harvesting is conducted using Mimikatz and Nirsoft utilities. This custom tooling indicates a higher technical maturity and operational security focus within the Trigona affiliate operations.
Potential Impact
The use of custom exfiltration tooling combined with kernel-level disabling of endpoint protections increases the likelihood of successful data theft and persistence within targeted environments. The attackers' ability to evade network monitoring and disable security controls can lead to significant data breaches and complicate incident response efforts. Credential theft and remote access further enable lateral movement and prolonged access. However, no known exploits in the wild or specific vulnerabilities are indicated.
Mitigation Recommendations
No official patch or remediation is available as this is a threat actor's custom toolset rather than a software vulnerability. Organizations should focus on detecting and blocking the use of known tools such as uploader_client.exe, HRSword, PCHunter, and AnyDesk in unauthorized contexts. Endpoint detection and response solutions should be tuned to identify kernel-level tampering and unusual network connections. Credential theft prevention measures, including multi-factor authentication and credential vaulting, are recommended. Since this is a malware campaign rather than a software flaw, vendor patching does not apply. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for new guidance.
Indicators of Compromise
- hash: e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173
- hash: 816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019
- hash: 7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26
- hash: 598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a
- hash: 746710470586076bb0757e0b3875de9c90202be2
- hash: 2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32
- hash: 205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964
- hash: 1dfe0e65f3fb60ee4e46cf8125ad67ca
- hash: fae1061813f2148296767d28262d2c25
- hash: c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4
- hash: 8f2fde9aa0eb6f6c83c30608061691cc
- hash: b3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4
- hash: c73e71825adbfb9821b9fa6e8672903c
- hash: 31b827dad64b2dd881b9f0ceb012e0ac6885492c
- hash: 274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf
- hash: f3d20449bab41301aefad304cb02773b
- hash: 73f8e5c17b49b9f2703fed59cc2be77239e904f7
- hash: c41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc
- hash: bd48322845f8930e58e038dfd4e1e243e80a6b76
- hash: 99c4401366ad7e561ce3ac8e5bb9a7a8144aa3ea
- hash: 97e045bc056b5f68f18ea4fbbb9cc64a
- hash: 207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9
- hash: 8729815f87f4186fd46d52418c1b7ae2a54aebcf
- hash: 6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc
- hash: fc3b93e042de5fa569a8379d46bce506
- hash: 1ba499bafaa369be58e795a150403c8729ef5d95
- hash: 5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd
- hash: 58bb9dab4e9b3aa2fd1e7a7b17d2eeb1
- hash: 23516ea1f2cc771f705807c2fc7d163e
- hash: ab06eeb603656d3943cd30396f82a45f
- hash: d611f824074a57e7fd1d08341edeb559
- hash: 1a12519bdeb372e8b1836d78ec61617bbac166aa
- hash: 4df0949f634c4d74a7e1cc48b6575f9a27dc21c9
- hash: b67a2f9d9de2135617caea8d4a7488e2a962e3e2
- hash: e43d7a6ad722d285813afb9eefe53d264af6948b
- hash: 0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac
- hash: 0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068
- hash: 1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5
- hash: 1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd
- hash: 35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f671
- hash: 396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc
- hash: 48f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765
- hash: 49a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be
- hash: 4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0
- hash: 4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b5
- hash: 647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fc
- hash: 6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b
- hash: 6bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb
- hash: 6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a
- hash: 72fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d
- hash: 73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d7
- hash: 771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344e
- hash: 87bf4b152d9548f415f12f353f988b5442729e7f24e2902ddfd0baa4a944354a
- hash: 8a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b0
- hash: 99c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d1744189
- hash: a18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb8
- hash: b066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9
- hash: c64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4
- hash: d4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff
- hash: d833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888
- hash: df5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c58809
- hash: eee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf
- hash: f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb
- hash: f5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
Description
Trigona ransomware affiliates have developed and deployed a custom exfiltration tool named uploader_client. exe, observed in attacks during March 2026. This tool uses parallel data streams, connection rotation, and file filtering to evade detection and streamline data theft. Attackers disable endpoint protections at the kernel level using multiple utilities before exfiltration. Remote access and credential theft are facilitated by AnyDesk and tools like Mimikatz. This represents a more technically sophisticated approach than typical ransomware affiliate operations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Trigona ransomware affiliate group has introduced a proprietary exfiltration tool, uploader_client.exe, to replace common off-the-shelf utilities such as Rclone. This command-line tool supports parallel data streams, connection rotation to avoid network monitoring, and granular file filtering, enhancing stealth and efficiency in data theft. Prior to exfiltration, attackers deploy kernel-level security-disabling tools including HRSword, PCHunter, and BYOVD utilities to terminate endpoint protection mechanisms. Remote access is maintained via AnyDesk, while credential harvesting is conducted using Mimikatz and Nirsoft utilities. This custom tooling indicates a higher technical maturity and operational security focus within the Trigona affiliate operations.
Potential Impact
The use of custom exfiltration tooling combined with kernel-level disabling of endpoint protections increases the likelihood of successful data theft and persistence within targeted environments. The attackers' ability to evade network monitoring and disable security controls can lead to significant data breaches and complicate incident response efforts. Credential theft and remote access further enable lateral movement and prolonged access. However, no known exploits in the wild or specific vulnerabilities are indicated.
Mitigation Recommendations
No official patch or remediation is available as this is a threat actor's custom toolset rather than a software vulnerability. Organizations should focus on detecting and blocking the use of known tools such as uploader_client.exe, HRSword, PCHunter, and AnyDesk in unauthorized contexts. Endpoint detection and response solutions should be tuned to identify kernel-level tampering and unusual network connections. Credential theft prevention measures, including multi-factor authentication and credential vaulting, are recommended. Since this is a malware campaign rather than a software flaw, vendor patching does not apply. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for new guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.security.com/blog-post/trigona-exfiltration-custom"]
- Adversary
- Rhantus
- Pulse Id
- 69ea2ebf9d87464f7c54c08e
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashe8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 | — | |
hash816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019 | — | |
hash7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26 | — | |
hash598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a | — | |
hash746710470586076bb0757e0b3875de9c90202be2 | — | |
hash2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32 | — | |
hash205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964 | — | |
hash1dfe0e65f3fb60ee4e46cf8125ad67ca | — | |
hashfae1061813f2148296767d28262d2c25 | — | |
hashc7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4 | — | |
hash8f2fde9aa0eb6f6c83c30608061691cc | — | |
hashb3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4 | — | |
hashc73e71825adbfb9821b9fa6e8672903c | — | |
hash31b827dad64b2dd881b9f0ceb012e0ac6885492c | — | |
hash274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf | — | |
hashf3d20449bab41301aefad304cb02773b | — | |
hash73f8e5c17b49b9f2703fed59cc2be77239e904f7 | — | |
hashc41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc | — | |
hashbd48322845f8930e58e038dfd4e1e243e80a6b76 | — | |
hash99c4401366ad7e561ce3ac8e5bb9a7a8144aa3ea | — | |
hash97e045bc056b5f68f18ea4fbbb9cc64a | — | |
hash207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9 | — | |
hash8729815f87f4186fd46d52418c1b7ae2a54aebcf | — | |
hash6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc | — | |
hashfc3b93e042de5fa569a8379d46bce506 | — | |
hash1ba499bafaa369be58e795a150403c8729ef5d95 | — | |
hash5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd | — | |
hash58bb9dab4e9b3aa2fd1e7a7b17d2eeb1 | — | |
hash23516ea1f2cc771f705807c2fc7d163e | — | |
hashab06eeb603656d3943cd30396f82a45f | — | |
hashd611f824074a57e7fd1d08341edeb559 | — | |
hash1a12519bdeb372e8b1836d78ec61617bbac166aa | — | |
hash4df0949f634c4d74a7e1cc48b6575f9a27dc21c9 | — | |
hashb67a2f9d9de2135617caea8d4a7488e2a962e3e2 | — | |
hashe43d7a6ad722d285813afb9eefe53d264af6948b | — | |
hash0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac | — | |
hash0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068 | — | |
hash1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5 | — | |
hash1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd | — | |
hash35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f671 | — | |
hash396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc | — | |
hash48f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765 | — | |
hash49a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be | — | |
hash4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0 | — | |
hash4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b5 | — | |
hash647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fc | — | |
hash6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b | — | |
hash6bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb | — | |
hash6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a | — | |
hash72fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d | — | |
hash73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d7 | — | |
hash771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344e | — | |
hash87bf4b152d9548f415f12f353f988b5442729e7f24e2902ddfd0baa4a944354a | — | |
hash8a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b0 | — | |
hash99c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d1744189 | — | |
hasha18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb8 | — | |
hashb066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9 | — | |
hashc64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4 | — | |
hashd4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff | — | |
hashd833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888 | — | |
hashdf5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c58809 | — | |
hasheee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf | — | |
hashf27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb | — | |
hashf5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c | — |
Threat ID: 69eb327b87115cfb680bf4ce
Added to database: 4/24/2026, 9:06:03 AM
Last enriched: 5/5/2026, 1:36:22 AM
Last updated: 6/9/2026, 2:04:38 PM
Views: 448
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.