AnyDesk — CraftedSignal Threat Feed

Trigona Ransomware Employing Custom Data Exfiltration Tool

hello@craftedsignal.io — Thu, 23 Apr 2026 19:02:17 +0000

Trigona ransomware, initially launched in October 2022, has been observed using a custom command-line tool named “uploader_client.exe” to exfiltrate data from compromised environments. This shift, observed in March 2026, suggests an effort to avoid detection by security solutions that commonly flag publicly available tools like Rclone and MegaSync. Symantec researchers believe this indicates a strategic investment in proprietary malware to maintain a lower profile during critical phases of attacks. The custom tool supports five simultaneous connections per file for faster data exfiltration via parallel uploads, rotates TCP connections after 2GB of traffic to evade monitoring, offers options for selective file type exfiltration, and utilizes an authentication key to restrict access to stolen data. Despite disruptions in October 2023, Trigona has resumed operations, incorporating additional techniques like installing the Huorong Network Security Suite tool HRSword and disabling security products.

Attack Chain

Initial compromise of the target system through unspecified means.
Installation of the Huorong Network Security Suite tool HRSword as a kernel driver service.
Deployment of tools such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd to disable security-related products by leveraging vulnerable kernel drivers to terminate endpoint protection processes.
Execution of utilities with PowerRun to launch apps, executables, and scripts with elevated privileges, bypassing user-mode protections.
Deployment of AnyDesk for direct remote access to the breached systems.
Execution of Mimikatz and Nirsoft utilities for credential theft and password recovery operations.
Use of the custom “uploader_client.exe” to exfiltrate valuable documents such as invoices and PDFs from network drives via parallel uploads, rotating TCP connections to evade monitoring, and using an authentication key to restrict data access.
Final stage involving the deployment of Trigona ransomware, demanding ransom payment in Monero cryptocurrency.

Impact

Successful Trigona ransomware attacks result in significant data theft and encryption, disrupting business operations and causing financial losses. The group has demonstrated the capability to resume operations even after suffering disruptions, indicating a persistent threat. Observed data exfiltration has included high-value documents such as invoices and PDFs, demonstrating a targeted approach to data theft. Victims face potential regulatory penalties, reputational damage, and recovery costs associated with restoring systems and data. The number of victims and specific financial impact varies per campaign, but the potential for severe disruption and financial strain is consistent.

Recommendation

Monitor process creation events for the execution of “uploader_client.exe” with command-line arguments indicative of data exfiltration (see Sigma rule below).
Implement network monitoring to detect connections to unusual or hardcoded server addresses used by the “uploader_client.exe” exfiltration tool (see IOC table).
Deploy endpoint detection rules to identify the installation of Huorong Network Security Suite (HRSword) as a kernel driver service and tools like PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd.
Monitor for processes launched via PowerRun, especially if followed by credential dumping or remote access tool execution.
Review AnyDesk usage for unusual connections or after-hours access, as this tool is used for remote access.
Enable robust logging for credential access attempts and password recovery activity associated with Mimikatz and Nirsoft tools.

Multiple Remote Management Tool Vendors on Same Host

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection rule identifies Windows systems running multiple Remote Monitoring and Management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments might utilize several tools, the presence of multiple RMM solutions on a single host can signify a compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access points. The rule maps process names to vendor labels to avoid inflated counts from multiple binaries of the same vendor. This activity has been observed as a component of broader attack campaigns, including those leveraging compromised MSP infrastructure, and is described in CISA AA23-025A. The timeframe analyzed is “now-9m”, and the rule triggers if two or more different vendors are detected.

Attack Chain

Initial Access: The attacker gains initial access to the system, possibly through phishing, exploiting vulnerabilities, or stolen credentials.
Tool Deployment: The attacker deploys an initial RMM tool (e.g., AnyDesk, TeamViewer) for remote access and control.
Persistence: The attacker establishes persistence by configuring the RMM tool to start automatically on system boot.
Lateral Movement: The attacker uses the initial access to discover other systems on the network.
Additional RMM Deployment: The attacker deploys a second RMM tool (e.g., ScreenConnect, Splashtop) from a different vendor to create a redundant access method.
Privilege Escalation: The attacker escalates privileges using the compromised RMM tools, if necessary.
Remote Control: The attacker uses the RMM tools to remotely control the system, execute commands, and access sensitive data.
Data Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or uses the compromised system to launch further attacks on the network.

Impact

A successful attack leveraging multiple RMM tools can result in unauthorized access to sensitive data, system compromise, and lateral movement within the network. The presence of multiple RMM tools increases the attacker’s resilience, making it harder to detect and remediate the intrusion. Affected systems can be used as a staging ground for further attacks, leading to significant financial and reputational damage. This can impact any Windows-based system, and the CISA advisory AA23-025A specifically highlights the risk of MSP infrastructure compromise.

Recommendation

Deploy the Sigma rule Multiple RMM Vendors on Same Host to your SIEM and tune for your environment.
Investigate hosts triggering the rule to confirm legitimate use of multiple RMM tools. Check Esql.vendors_seen and Esql.processes_name_values for insight into the involved tools.
Review asset inventory and change tickets to verify authorized RMM software installations.
Isolate any unauthorized or unexplained hosts and remove unapproved RMM tools.
Enforce a single approved RMM stack per asset class where possible.
Enable Sysmon process creation logging (Event ID 1) on Windows endpoints to enhance detection capabilities as described in the rule’s setup instructions.

Multiple Remote Management Tool Vendors on Same Host

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This detection rule identifies Windows hosts running multiple remote monitoring and management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments may utilize multiple tools, this activity can also indicate malicious behavior, such as an attacker establishing redundant access to a compromised system. The rule maps various RMM processes to vendor labels, ensuring that multiple binaries from the same vendor do not inflate the count. The processes monitored include popular RMM tools like TeamViewer, AnyDesk, ScreenConnect, and many others. This rule is designed to detect suspicious activity within the environment and alert security teams to potential compromises. The timeframe is set to eight minutes to reduce false positives.

Attack Chain

Initial Access: An attacker gains initial access to a Windows host, possibly through phishing or exploitation of a vulnerability.
Tool Deployment: The attacker deploys an initial RMM tool for remote access and control.
Secondary Tool Deployment: The attacker deploys a second RMM tool from a different vendor to ensure redundant access in case the first tool is detected or removed.
Privilege Escalation: The attacker escalates privileges to gain SYSTEM or Administrator rights, if necessary, to maintain persistent access and control.
Lateral Movement: The attacker uses the RMM tools to move laterally within the network to access additional systems and data.
Data Exfiltration/Malicious Activity: The attacker uses the established RMM connections to exfiltrate sensitive data or perform other malicious activities such as deploying ransomware.

Impact

A successful attack can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. This detection rule helps identify hosts that might be compromised by malicious actors utilizing multiple RMM tools for command and control. Identifying potentially compromised systems is key to preventing widespread damage.

Recommendation

Deploy the Sigma rules in this brief to your SIEM to detect multiple RMM tools running on the same host within an eight-minute window.
Investigate systems triggering this alert by reviewing process execution logs and network connections to identify the source of the RMM tool installation.
Enforce a policy of a single approved RMM stack per asset class to minimize the risk of unauthorized RMM tool usage.
Tune the provided Sigma rules with host or organizational unit exceptions for legitimate MSP/IT tooling environments.
Review asset inventory and change tickets for approved RMM software to identify unauthorized installations.