Trigona Exfiltration Tool: New Proprietary Malware Evades Security Defenses

The landscape of ransomware-as-a-service (RaaS) has undergone a fundamental transformation in early 2026, shifting from a focus on volume-based encryption to high-precision, surgical data theft. At the center of this evolution is the Trigona ransomware operation, which has recently abandoned traditional, off-the-shelf utilities in favor of a bespoke, high-performance solution. In April 2026, security researchers at Symantec and Carbon Black unmasked a proprietary Trigona exfiltration tool identified as “uploader_client.exe.” This discovery marks a critical milestone in the group’s operational maturity, signaling a move toward custom malware development designed specifically to neutralize modern Endpoint Detection and Response (EDR) and network monitoring systems.

Anatomy of the Trigona Exfiltration Tool: Technical Breakthroughs

Historically, ransomware affiliates have relied on legitimate file-transfer tools such as Rclone or MegaSync to conduct data theft. While these tools are robust and reliable, their widespread use has turned them into “loud” indicators of compromise (IoCs). Modern security stacks now trigger immediate alerts upon the execution of Rclone in environments where it is not a standard administrative utility. Recognizing this visibility gap, the Rhantus group—the threat actor behind the Trigona RaaS platform—invested in the development of a dedicated command-line utility. The Trigona exfiltration tool is not merely a wrapper for existing protocols but a purpose-built engine engineered for speed, stealth, and granular control.

The technical architecture of “uploader_client.exe” reflects an advanced understanding of enterprise network bottlenecks and security triggers. Unlike standard tools that upload files sequentially or in a single stream, this proprietary client is built for maximum bandwidth utilization. Key technical features observed by researchers include:

• Parallel Streaming: The tool defaults to five simultaneous data transfer streams per file. This multi-threaded approach allows attackers to saturate the victim’s outbound bandwidth, ensuring that massive datasets are exfiltrated before incident response teams can initiate a network isolation protocol.
• Connection Rotation: One of the most sophisticated features of the Trigona exfiltration tool is its ability to rotate its TCP connection after every 2,048 MB (2 GB) of data transmitted. By constantly refreshing the connection and potentially switching between different hardcoded destination IPs, the tool bypasses network behavior analytics that flag long-lived, high-volume sessions as suspicious.
• Integrated Authentication: To prevent security researchers or rival gangs from intercepting the data or accessing the exfiltration server, the tool requires a shared authentication key. This ensures that only authorized instances of the “uploader_client.exe” can interact with the attacker-controlled repository.

Breaking the Bottleneck: Parallel Streaming and Bandwidth Saturation

The introduction of parallel streaming is more than a convenience; it is a tactical necessity in the era of multi-terabyte data breaches. In traditional exfiltration scenarios, a single-stream upload might take hours or days to complete, providing security operations centers (SOCs) with a broad window for detection. The Trigona exfiltration tool utilizes a multi-threaded architecture that breaks down large files into chunks, uploading them concurrently. This minimizes the “dwell time” during the data-theft phase, which is often the most vulnerable moment for an attacker.

By saturating the available bandwidth, Trigona affiliates can move entire network drives worth of sensitive documentation in a fraction of the time required by previous generations of malware. This “smash and grab” approach to data theft is specifically designed to outrun the human-in-the-loop response times of many managed service providers (MSPs) and mid-market enterprises.

Evading Network Monitors: The 2GB Connection Rotation Logic

Network Detection and Response (NDR) systems often rely on “flow records” to identify anomalies. A single IP address sending 500GB of data over an eight-hour window to a previously unknown external address is a classic red flag. The Trigona exfiltration tool disrupts this detection logic through connection rotation. By terminating and re-establishing the TCP session after every 2GB of traffic, the tool creates a series of smaller, seemingly disconnected data flows.

When combined with the use of legitimate-looking hardcoded server addresses or compromised infrastructure, this rotation makes it significantly harder for automated systems to correlate the traffic as a single, massive exfiltration event. It essentially “quiets” the network signature of the theft, allowing the attackers to blend in with the background noise of standard cloud-syncing services or legitimate software updates.

Strategic Precision: Granular Filtering with –exclude-ext

The 2026 campaign by Trigona affiliates has highlighted a shift toward “quality over quantity.” Instead of exfiltrating every file on a server, which increases the risk of detection and slows down the process, the new tool allows for granular targeting. Using the --exclude-ext flag, attackers can explicitly ignore low-value media files such as .mp3, .mp4, and .avi.

In recent incidents observed in March and April 2026, researchers found that Trigona attackers used this filtering capability to focus almost exclusively on high-priority business documents. Folders containing invoices, PDFs, financial statements, and legal contracts were targeted with surgical precision. This focus ensures that the “double extortion” phase is backed by high-leverage data, increasing the likelihood that the victim will feel compelled to pay the ransom to avoid a catastrophic public leak of sensitive corporate intelligence.

The Pre-Exfiltration Phase: Blindfolding the EDR

The deployment of the Trigona exfiltration tool is rarely the first step in an attack. To ensure the success of the data theft, affiliates engage in an aggressive “defense impairment” phase. This involves the use of specialized utilities designed to terminate security processes at the kernel level. The most prominent tool in this arsenal is **HRSword**, a component of the Huorong Network Security Suite, which is ironically repurposed by attackers to kill the very endpoint protection it was designed to emulate.

By installing HRSword as a primary kernel driver service, Trigona affiliates gain the ability to bypass standard user-mode protections. This “Bring Your Own Vulnerable Driver” (BYOVD) tactic allows them to force-terminate EDR agents, antivirus software, and logging services. Once the environment is “blinded,” the attackers use PowerRun to execute the exfiltration tool with elevated privileges, ensuring that no local security policy can interfere with the outbound data flow.

Other tools frequently observed in the Trigona toolkit include:

• PCHunter and GMER: Used for deep system reconnaissance and identifying hidden security processes.
• YDark and WKTools: Specialized utilities for manipulating system drivers and terminating protected threads.
• AnyDesk: Used for persistent remote access and manual navigation of the victim’s network.
• Mimikatz and Nirsoft: Deployed to harvest credentials, allowing the attackers to move laterally and access restricted network shares containing high-value data.

Rhantus and the RaaS Ecosystem: A New Era of Professionalism

The emergence of the Trigona exfiltration tool underscores the increasing industrialization of the cybercrime world. Trigona, which first appeared in late 2022 and is linked to the threat actor group known as **Rhantus**, has proven remarkably resilient. Despite high-profile claims by hacktivists in late 2023 that the group’s infrastructure had been dismantled, Trigona returned with more robust code and a more professionalized affiliate model.

Operating as a Ransomware-as-a-Service, Trigona provides its affiliates with a complete “extortion-in-a-box” solution. This includes the locker itself—which targets both Windows and Linux environments—a dedicated negotiation portal, and now, proprietary exfiltration software. By providing high-quality tools like “uploader_client.exe,” the Rhantus group attracts more sophisticated affiliates who are capable of breaching high-value targets in the manufacturing, finance, and healthcare sectors.

The shift to proprietary tools also serves as a form of “quality control” for the RaaS operators. It ensures that affiliates are using the most efficient methods possible, which in turn maximizes the revenue generated from successful ransoms. As the global law enforcement community increases its pressure on the ransomware ecosystem, groups like Trigona are reinvesting their profits into R&D to stay one step ahead of defensive technologies.

The Double Extortion Imperative: Why Proprietary Tools Matter Now

In 2026, encryption is no longer the primary leverage point for ransomware groups. Many organizations have improved their backup and recovery strategies to the point where they can restore systems without paying a ransom. To counter this, the “double extortion” model—where the threat is the public release of stolen data—has become the standard operating procedure.

However, double extortion only works if the data can be stolen successfully. If a security system detects the exfiltration process and shuts down the network before the data is moved, the attackers lose their primary source of leverage. This is why the Trigona exfiltration tool is so critical to the group’s success. It is designed to solve the “exfiltration problem” by making the theft phase as fast and as quiet as possible. When the victim eventually discovers the ransom note, the data is already safely stored on the attacker’s server, making the recovery of backups a moot point in the negotiation process.

Conclusion: Future-Proofing Defenses Against Custom Ransomware Tooling

The discovery of the Trigona exfiltration tool is a clear signal that the era of “easy” ransomware detection is over. Defenders can no longer rely on blacklisting known utilities like Rclone to stop data theft. Instead, security strategies must evolve to focus on behavioral anomalies and kernel-level integrity.

To defend against the sophisticated tactics used by Trigona and its affiliates, organizations should consider the following measures:

1. Network Egress Monitoring: Implement strict controls on outbound traffic. Monitor for the specific pattern of “connection rotation” and multi-threaded uploads to unrecognized IP addresses.
2. Kernel Integrity Protection: Use security solutions that can detect and block the unauthorized installation of kernel drivers (BYOVD). Technologies like Microsoft’s Vulnerable Driver Blocklist are essential in preventing tools like HRSword from being used to disable EDR agents.
3. Data-Centric Security: Since attackers are using the Trigona exfiltration tool to target specific file types like PDFs and invoices, organizations should implement file-integrity monitoring and data loss prevention (DLP) policies that trigger on the mass access of sensitive document folders.
4. Identity and Access Management: Because Trigona relies on credential theft (via Mimikatz) to reach high-value shares, enforcing MFA for all internal movements and adhering to the principle of least privilege can significantly limit the scope of a breach.

As we move further into 2026, the battle between RaaS operators and cybersecurity defenders will continue to be an arms race of proprietary code. The Trigona exfiltration tool is just the beginning of a new wave of custom, high-precision malware that demands a more proactive and technically deep defensive posture.