The Trigona ransomware group has introduced a custom-built command-line tool designed to accelerate and conceal data exfiltration during cyberattacks, signaling a renewed evolution in its tactics. The newly observed utility, identified as “uploader client.exe,” replaces commonly used tools such as Rclone and MegaSync, which are more likely to be flagged by security systems. By shifting to a proprietary solution, the attackers appear to be prioritizing stealth during one of the most critical phases of their operations data theft.

The tool is engineered for speed and evasion. It enables multiple simultaneous connections for each file, allowing faster uploads of stolen data. It also rotates TCP connections after transferring large volumes of data, helping it bypass monitoring systems. Additionally, the tool can selectively exfiltrate high-value file types, such as documents and PDFs, while excluding large, less useful media files. An embedded authentication mechanism further ensures that only authorized parties can access the stolen data.

This development marks a significant step in the group’s operational maturity, as it reflects a move away from reliance on publicly available utilities toward more controlled and harder-to-detect tooling.

The Trigona ransomware operation, which first emerged in 2022, is known for its double-extortion model stealing sensitive data before encrypting systems and demanding payment, often in cryptocurrency, to prevent data leaks. Although its infrastructure was previously disrupted, recent activity indicates that the group has resumed operations with updated techniques.

In addition to the custom exfiltration tool, attackers have been observed deploying a range of utilities to maintain persistence and evade detection. These include the installation of kernel-level components, tools designed to disable endpoint protection, and the use of privilege escalation utilities to bypass system safeguards.

Remote access software such as AnyDesk has been leveraged to control compromised systems, while credential theft tools like Mimikatz and Nirsoft utilities are used to harvest sensitive login information. The resurgence of Trigona, combined with its adoption of custom-built malware, highlights a broader trend among ransomware groups: investing in proprietary capabilities to evade detection, accelerate attacks, and maximize the impact on targeted organizations.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com