{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/trigona/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Trigona"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","AnyDesk","Mimikatz","PowerRun"],"_cs_severities":["high"],"_cs_tags":["trigona","ransomware","data exfiltration","custom tool"],"_cs_type":"threat","_cs_vendors":["Microsoft","Nirsoft","AnyDesk"],"content_html":"\u003cp\u003eTrigona ransomware, initially launched in October 2022, has been observed using a custom command-line tool named \u0026ldquo;uploader_client.exe\u0026rdquo; to exfiltrate data from compromised environments. This shift, observed in March 2026, suggests an effort to avoid detection by security solutions that commonly flag publicly available tools like Rclone and MegaSync. Symantec researchers believe this indicates a strategic investment in proprietary malware to maintain a lower profile during critical phases of attacks. The custom tool supports five simultaneous connections per file for faster data exfiltration via parallel uploads, rotates TCP connections after 2GB of traffic to evade monitoring, offers options for selective file type exfiltration, and utilizes an authentication key to restrict access to stolen data. Despite disruptions in October 2023, Trigona has resumed operations, incorporating additional techniques like installing the Huorong Network Security Suite tool HRSword and disabling security products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eInstallation of the Huorong Network Security Suite tool HRSword as a kernel driver service.\u003c/li\u003e\n\u003cli\u003eDeployment of tools such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd to disable security-related products by leveraging vulnerable kernel drivers to terminate endpoint protection processes.\u003c/li\u003e\n\u003cli\u003eExecution of utilities with PowerRun to launch apps, executables, and scripts with elevated privileges, bypassing user-mode protections.\u003c/li\u003e\n\u003cli\u003eDeployment of AnyDesk for direct remote access to the breached systems.\u003c/li\u003e\n\u003cli\u003eExecution of Mimikatz and Nirsoft utilities for credential theft and password recovery operations.\u003c/li\u003e\n\u003cli\u003eUse of the custom \u0026ldquo;uploader_client.exe\u0026rdquo; to exfiltrate valuable documents such as invoices and PDFs from network drives via parallel uploads, rotating TCP connections to evade monitoring, and using an authentication key to restrict data access.\u003c/li\u003e\n\u003cli\u003eFinal stage involving the deployment of Trigona ransomware, demanding ransom payment in Monero cryptocurrency.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Trigona ransomware attacks result in significant data theft and encryption, disrupting business operations and causing financial losses. The group has demonstrated the capability to resume operations even after suffering disruptions, indicating a persistent threat. Observed data exfiltration has included high-value documents such as invoices and PDFs, demonstrating a targeted approach to data theft. Victims face potential regulatory penalties, reputational damage, and recovery costs associated with restoring systems and data. The number of victims and specific financial impact varies per campaign, but the potential for severe disruption and financial strain is consistent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u0026ldquo;uploader_client.exe\u0026rdquo; with command-line arguments indicative of data exfiltration (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to unusual or hardcoded server addresses used by the \u0026ldquo;uploader_client.exe\u0026rdquo; exfiltration tool (see IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection rules to identify the installation of Huorong Network Security Suite (HRSword) as a kernel driver service and tools like PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd.\u003c/li\u003e\n\u003cli\u003eMonitor for processes launched via PowerRun, especially if followed by credential dumping or remote access tool execution.\u003c/li\u003e\n\u003cli\u003eReview AnyDesk usage for unusual connections or after-hours access, as this tool is used for remote access.\u003c/li\u003e\n\u003cli\u003eEnable robust logging for credential access attempts and password recovery activity associated with Mimikatz and Nirsoft tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T19:02:17Z","date_published":"2026-04-23T19:02:17Z","id":"/briefs/2026-05-trigona-custom-exfil/","summary":"Trigona ransomware is using a custom data exfiltration tool named 'uploader_client.exe' to steal data from compromised environments, enhancing speed and evasion.","title":"Trigona Ransomware Employing Custom Data Exfiltration Tool","url":"https://feed.craftedsignal.io/briefs/2026-05-trigona-custom-exfil/"}],"language":"en","title":"CraftedSignal Threat Feed — Trigona","version":"https://jsonfeed.org/version/1.1"}