Threat Research

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

Symantec
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
Symantec observed Trigona ransomware affiliates in March 2026 using a custom exfiltration tool, uploader_client.exe, that communicates with a hardcoded attacker-controlled server and supports parallel streams, connection rotation, granular filtering, and integrated authentication. The intrusions included pre-exfiltration disabling of security products via kernel drivers and tools (HRSword, PCHunter, Gmer, YDark, WKTools, DumpGuard, StpProcessMonitorByovd), remote access with AnyDesk, and credential theft with Mimikatz, indicating elevated technical maturity by the Trigona/Rhantus actors. #Trigona #Rhantus

Keypoints

  • Trigona affiliates deployed a custom command-line exfiltration tool, uploader_client.exe, that communicates with a hardcoded attacker-controlled server.
  • The uploader supports five parallel connections per file, connection rotation after ~2,048 MB, –exclude-ext filtering, and shared authentication keys to protect the exfiltration channel.
  • Attackers preceded exfiltration by disabling security using kernel-level tools and vulnerable drivers (HRSword, PCHunter, Gmer, YDark, WKTools, DumpGuard, StpProcessMonitorByovd).
  • Remote access to victims was obtained via AnyDesk, and credential theft used Mimikatz and Nirsoft password recovery utilities.
  • Custom tooling usage represents a tactical shift away from off-the-shelf utilities (Rclone, MegaSync) to evade detection and improve stealth during data theft.
  • Symantec published indicators and mitigation guidance (Symantec Protection Bulletin) alongside a list of file hashes and the exfiltration C2 IP address for detection and response.

MITRE Techniques

  • [T1041 ] Exfiltration Over Command and Control Channel – The custom uploader sent stolen files to an attacker server (‘the tool, which is called uploader_client.exe, is a command-line utility that communicates with a hardcoded attacker-controlled server.’)
  • [T1071 ] Application Layer Protocol – The uploader used application-layer communication to reach a hardcoded C2 server (‘communicates with a hardcoded attacker-controlled server.’)
  • [T1074 ] Data Staged – Attackers prepared and targeted specific folders and document types prior to exfiltration (‘the uploader was used to target folders containing invoices and high-value PDF documents stored on networked drives.’)
  • [T1021 ] Remote Services – Remote access to compromised hosts was achieved using AnyDesk (‘The attackers gained remote access to infected machines using AnyDesk.’)
  • [T1003 ] Credential Dumping – Credentials were harvested with Mimikatz and password-recovery utilities from Nirsoft (‘Credential theft also occurred, using specialized tools such as Mimikatz and various password recovery utilities from Nirsoft’)
  • [T1562.001 ] Disable or Modify Security Tools – Operators deployed tools and drivers to kill or bypass security products before exfiltration (‘The deployment of the custom uploader is preceded by attempts to kill security. The attackers installed the Huorong Network Security Suite tool HRSword as a kernel driver service.’)
  • [T1215 ] Kernel Modules and Extensions – Attackers leveraged vulnerable kernel drivers to terminate endpoint protection processes (‘Many of these leveraged vulnerable kernel drivers to terminate endpoint protection processes.’)
  • [T1105 ] Ingress Tool Transfer – A range of third-party and custom utilities were deployed to carry out disabling and credential-theft activities (‘a range of additional security-disabling tools were deployed, including: PCHunter; Gmer; YDark; WKTools, DumpGuard, and StpProcessMonitorByovd.’)
  • [T1548 ] Abuse Elevation Control Mechanism – PowerRun was used to execute tools with elevated privileges to facilitate disabling protections (‘PowerRun was used to execute some of these tools with elevated privileges.’)

Indicators of Compromise

  • [File hash ] Known malicious and tool hashes observed in attacks – 396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc (Uploader), 0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac (AnyDesk), and 40+ other hashes (total 42 hashes listed).
  • [File name ] Executables and drivers used in the operation – uploader_client.exe (custom exfiltration client), wktools.sys (vulnerable driver used to impair defenses).
  • [IP address ] Exfiltration command-and-control endpoint – 163.172.105.82 (Port 1080) used for exfiltration and C2 communications.

Read more: https://www.security.com/threat-intelligence/trigona-exfiltration-custom

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint