<![CDATA[(security.com) Trigona Ransomware Affiliates Deploy Custom Data Exfiltration Tool with Advanced Evasion Capabilities]]>(security.com) Trigona Ransomware Affiliates Deploy Custom Data Exfiltration Tool with Advanced Evasion Capabilities

Trigona ransomware affiliates (Rhantus) now deploy *uploader_client.exe*—a custom exfiltration tool with advanced evasion capabilities, replacing off-the-shelf utilities like Rclone. This shift signals heightened operational maturity in pre-ransomware tradecraft.

In brief - Trigona RaaS operators have adopted a bespoke data exfiltration tool, enabling granular control over stolen data, parallel transfers, and connection rotation to evade detection. Attackers disable defenses via BYOVD, harvest credentials with Mimikatz/Nirsoft, and establish persistence via AnyDesk before exfiltrating high-value files.

Technically - *uploader_client.exe* communicates with C2 163.172.105.82:1080, using 5 parallel TCP streams per file, rotating connections after 2,048 MB. Pre-exfiltration activity includes kernel-level defense evasion via HRSword, PCHunter, and other BYOVD tools (e.g., Gmer, YDark), credential theft via Mimikatz and Nirsoft utilities, and elevated execution via PowerRun. File filtering prioritizes high-value extensions (e.g., PDFs, invoices).

Source: https://www.security.com/threat-intelligence/trigona-exfiltration-custom

]]>https://board.circlewithadot.net/topic/7d8c8bcb-d570-4f1e-a7aa-f720ce6157c9/security.com-trigona-ransomware-affiliates-deploy-custom-data-exfiltration-tool-with-advanced-evasion-capabilitiesRSS for NodeFri, 15 May 2026 06:17:41 GMTThu, 23 Apr 2026 11:03:34 GMT60