230/69 Tuesday, April 29, 2026
Researchers from Symantec report that the Trigona ransomware has evolved its tactics by using a self-developed command-line tool for data exfiltration instead of commonly detected tools like Rclone or MegaSync. This trend, observed in attacks during March 2026, highlights the group’s effort to increase sophistication and evade detection. Trigona operates as a Ransomware-as-a-Service (RaaS) group with links to the Rhantus cybercrime network and has been active since late 2022.
The newly developed tool, named “uploader_client.exe,” is designed to accelerate data exfiltration by establishing multiple simultaneous connections and periodically rotating them to avoid network monitoring systems. It can selectively target high-value files-such as documents and PDFs-for efficient data theft and uses authentication keys to control access to the stolen data.
Before exfiltration, attackers disable security protections using tools such as HRSword, PCHunter, and GMER, and exploit kernel-level driver vulnerabilities to escalate privileges. They then gain control of systems via remote access software like AnyDesk and extract credentials using tools such as Mimikatz or Nirsoft. The development of custom tooling significantly enhances their ability to bypass detection, despite requiring more resources, and reflects a broader trend among modern ransomware groups toward greater efficiency and stealth in cyberattacks.