custom data – MISRYOUM reports Trigona operators used a custom uploader_client.exe to speed data exfiltration, rotate traffic, and avoid triggering common security tools—while also disabling protections via kernel-level tactics.
Trigona ransomware has resurfaced with a sharper focus on how data is taken—not just how systems are encrypted.
Recent activity linked to the Trigona ransomware campaign shows the attackers relying on a custom command-line utility to exfiltrate files from compromised networks more quickly and with fewer telltale signals than publicly available tools.. For defenders. the change matters because it shifts attention from “what gets encrypted” to “how stolen data leaves the environment. ” a phase that can determine whether victims face faster. more persuasive extortion.
The custom uploader behind faster exfiltration
The data-stealing utility has been identified as “uploader_client.exe.” It connects to a hardcoded server address and is designed to move data in ways that make interception and detection harder.. In Misryoum’s coverage of the latest observations. the most notable improvements are the built-in mechanisms that optimize upload speed while trying to reduce monitoring visibility.
Among the documented behaviors: the tool supports five simultaneous connections per file. enabling parallel uploads instead of one slow transfer at a time.. It also rotates TCP connections after 2GB of traffic. a tactic aimed at disrupting patterns that security teams often use to flag unusual outbound data movement.. There’s also a selective approach to what gets copied—skipping large. low-value media files—which can reduce total transfer volume and help prioritize high-value documents.
The tool’s design includes an authentication key meant to limit access to stolen data by outsiders. suggesting Trigona operators are trying to keep the stolen haul controlled within their own workflow.. In at least one incident. Misryoum notes the exfiltration targeted high-value content such as invoices and PDFs stored on network drives—exactly the kind of material that strengthens extortion leverage.
Why attackers avoid common exfiltration tools
This is where the broader strategy becomes clear.. Public utilities like Rclone or MegaSync are widely known and frequently monitored. meaning they can trigger security detections during data exfiltration.. By using a custom uploader. the attackers can reduce the chance that defenders immediately recognize the behavior as “known exfil tools” and react in time.
In plain terms, it’s not only about stealing data—it’s about the timing.. If defenders spot exfiltration early, they can potentially contain systems, cut outbound access, and preserve evidence.. If exfiltration blends into less suspicious traffic patterns, it can continue longer before anyone realizes how much has already left.
Misryoum also highlights a reported rationale: the shift toward proprietary tooling suggests the threat actors are investing effort in lowering their profile during a critical phase of the attack.. That’s an operational sign that Trigona is evolving from a “commodity” pattern into a more tailored, repeatable workflow.
Kernel-level drivers and disabling security products
The exfiltration tool doesn’t appear in isolation. The same observations describe additional steps used to keep the environment under attacker control and weaken defenses. One phase involves installing HRSword, a network security suite tool, as a kernel driver service.
Following that, the attackers deploy further utilities designed to disable security-related products.. Misryoum notes that several of these tools reportedly relied on vulnerable kernel drivers to terminate endpoint protection processes—an approach that goes beyond typical user-mode tampering.. If an endpoint defense is killed from the kernel level. traditional “process termination” signals can be less reliable. and recovery can take longer.
Some utilities were executed using a component called PowerRun to launch apps, executables, and scripts with elevated privileges. That matters because elevating execution can bypass protections that assume the attacker will only operate within normal user permissions.
Remote access, credential theft, and the ransomware pipeline
To maintain access, AnyDesk was reportedly used for direct remote control of breached systems. That can allow attackers to browse, locate valuable files, and coordinate the next stages without relying solely on automation.
Credential theft also features in the described sequence.. Tools including Mimikatz and Nirsoft utilities were reportedly used for credential access and password recovery.. This is important because ransomware operations thrive on speed and reach: stolen credentials can expand access to additional systems. unlock network shares. and accelerate the search for documents like invoices and PDFs that can later be used for extortion.
Even when Ukrainian cyber activists reportedly disrupted parts of the Trigona operation in October 2023—by compromising servers and stealing internal information—Misryoum’s reporting indicates the activity may have continued afterward.. That aligns with what many incident responders see in real-world ransomware patterns: disruption doesn’t always end operations; it can simply force changes in tools. infrastructure. and tradecraft.
What this means for defenders now
For organizations trying to reduce ransomware risk. the most practical takeaway is to focus on the full chain of compromise. not only on encryption events.. The introduction of a custom exfiltration tool suggests defenders should tune alerts for outbound behavior patterns. especially parallel uploads. connection rotation. and suspicious traffic bursts tied to document stores.
Network segmentation and strict egress controls can help reduce the “escape routes” attackers rely on during exfiltration.. Endpoint hardening also matters: if attackers can install kernel drivers or terminate security products. responders may need better playbooks for rapid isolation and forensic capture before critical data leaves.
Finally, Misryoum suggests teams should treat detection and response as a loop.. Knowing how the uploader_client.exe behavior works can inform what to hunt for. but the real win comes from combining technical detection with operational speed—so containment can happen while the attack is still in motion.