Ethical Hacking News
Trigona ransomware has taken its operations to the next level by adopting a custom-built command-line tool that enables faster data exfiltration and evasion of detection. This new tool boasts multiple parallel connections, a rotation mechanism, and authentication keys to secure access to stolen data. As researchers, it is essential to stay vigilant and monitor these emerging trends to develop effective countermeasures against such advanced threats.
Trigona ransomware group has adopted a custom-built command-line tool to steal data more efficiently and evade detection. The new tool, uploader_client.exe, allows attackers to connect directly with an attacker-controlled server, giving them complete control over the data exfiltration process. The tool boasts multiple parallel connections and incorporates a rotation mechanism to speed up data transfer and evade detection. The tool filters out large, low-value files and focuses on sensitive data such as documents. Trigona's custom-built tool complements their existing arsenal of security evasion techniques.
The cybercrime landscape has witnessed a significant evolution in recent times, with ransomware groups continually updating their tactics to evade detection and improve their efficiency. One such group is Trigona, which has been actively involved in the ransomware-as-a-service (RaaS) ecosystem since late 2022. In April 2026, Symantec researchers revealed that Trigona had adopted a custom-built command-line tool to steal data more efficiently and evade detection.
The new tool, dubbed uploader_client.exe, allows attackers to connect directly with an attacker-controlled server, giving them complete control over the data exfiltration process. This custom-made tool boasts multiple parallel connections, which significantly speeds up the transfer of sensitive data. Moreover, it incorporates a rotation mechanism that periodically changes TCP connections, thereby making it more challenging for security systems to detect and flag malicious activity.
One notable feature of this new tool is its ability to filter out large, low-value files and focus on sensitive data such as documents. This selective approach ensures that attackers are not wasting resources on unnecessary data transfer. The tool also employs an authentication key to secure access to stolen data, further solidifying its effectiveness in protecting the attackers' interests.
Furthermore, Trigona's custom-built tool is designed to complement their existing arsenal of security evasion techniques. Attackers can disable security tools using multiple utilities, including HRSword, PCHunter, and GMER, often abusing vulnerable kernel drivers to kill protections. PowerRun helps execute these malicious operations with elevated privileges, allowing the attackers to access systems remotely via AnyDesk. The use of tools like Mimikatz and Nirsoft password recovery utilities enables them to steal credentials from apps and browsers.
The development and deployment of such custom-built malware tools are indicative of a growing trend in the cybercrime world. While creating these tools requires significant investment in resources and time, they can provide attackers with an unparalleled level of stealth and control over their operations. As researchers, it is essential to stay vigilant and monitor these emerging trends to develop effective countermeasures against such advanced threats.
In conclusion, Trigona ransomware's adoption of a custom-built data exfiltration tool marks a significant shift in their tactics and techniques. This new tool's ability to speed up data transfer, evade detection, and secure stolen data makes it an attractive addition to the attackers' arsenal. As we move forward in this rapidly evolving cybercrime landscape, it is crucial for security professionals to remain proactive and adapt their strategies to keep pace with these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Customized-Malware-Trigona-Ransomwares-Cutting-Edge-Data-Stealing-Tool-ehn.shtml
https://securityaffairs.com/191294/cyber-crime/trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection.html
https://www.security.com/threat-intelligence/trigona-exfiltration-custom
https://cyberpress.org/ransomware-hackers-steal-data/
https://thecyberexpress.com/trigona-ransomware-takedown-with-servers-wiped/
https://www.bankinfosecurity.com/ukrainian-hacktivists-claim-trigona-ransomware-takedown-a-23343
https://asec.ahnlab.com/en/63145/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cloud.google.com/security/resources/insights/apt-groups
https://attack.mitre.org/groups/
https://cybersecuritynews.com/apt35-hacker-groups-internal-documents/
https://gbhackers.com/apt35-data-leak/
Published: Sun Apr 26 06:20:34 2026 by llama3.2 3B Q4_K_M
