Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
Essential information
- Published
- 01/05/2026 19:53
- Modified
- 04/05/2026 14:32
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- dumpguard gogra malextractor trigona
- Tags
- 2026-04-23 2026-05-01 dumpguard gogra hrsword kernel driver abuse malextractor ransomware-as-a-service stpprocessmonitorbyovd trigona wktools
- Related entities
- 42 indicators, 42 observables, 1 intrusion sets (apt), 20 techniques (mitre), 16 malware
Description
Trigona ransomware affiliates deployed a custom exfiltration tool called uploader_client.exe during attacks in March 2026, marking a tactical shift from relying on off-the-shelf utilities like Rclone. The tool features parallel streams with five default connections, connection rotation after 2,048 MB transfers to evade network monitoring, and granular filtering to exclude low-value files. Prior to exfiltration, attackers disabled security defenses using kernel-level tools including HRSword, PCHunter, Gmer, YDark, and WKTools with vulnerable drivers. Remote access was established via AnyDesk, while credentials were harvested using Mimikatz and Nirsoft utilities. The custom tooling demonstrates higher technical maturity compared to typical ransomware operations, providing enhanced stealth capabilities while requiring greater development resources. Targeted data included invoices and high-value PDF documents from networked drives.