Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
· Published 01/05/2026 19:53 · Modified 04/05/2026 14:32
Essential information
- Published
- 01/05/2026 19:53
- Modified
- 04/05/2026 14:32
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- dumpguard gogra malextractor trigona
- Tags
- 2026-04-23 2026-05-01 dumpguard gogra hrsword kernel driver abuse malextractor ransomware-as-a-service stpprocessmonitorbyovd trigona wktools
- Related entities
- 42 indicators, 42 observables, 1 intrusion sets (apt), 20 techniques (mitre), 16 malware
Description
Trigona ransomware affiliates deployed a custom exfiltration tool called uploader_client.exe during attacks in March 2026, marking a tactical shift from relying on off-the-shelf utilities like Rclone. The tool features parallel streams with five default connections, connection rotation after 2,048 MB transfers to evade network monitoring, and granular filtering to exclude low-value files. Prior to exfiltration, attackers disabled security defenses using kernel-level tools including HRSword, PCHunter, Gmer, YDark, and WKTools with vulnerable drivers. Remote access was established via AnyDesk, while credentials were harvested using Mimikatz and Nirsoft utilities. The custom tooling demonstrates higher technical maturity compared to typical ransomware operations, providing enhanced stealth capabilities while requiring greater development resources. Targeted data included invoices and high-value PDF documents from networked drives.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Indicators (42)
-
816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019 -
48f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765 -
b3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4 -
a18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb8 -
87bf4b152d9548f415f12f353f988b5442729e7f24e2902ddfd0baa4a944354a -
c41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc -
2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32 -
8a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b0 -
99c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d1744189 -
1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd -
e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 -
6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc -
f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb -
73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d7 -
0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068 -
598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a -
35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f671 -
6bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb -
7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26 -
d833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888 -
c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4 -
1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5 -
49a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be -
207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9 -
c64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4 -
771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344e -
d4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff -
396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc -
274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf -
df5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c58809 -
5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd -
647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fc -
eee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf -
6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a -
4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b5 -
72fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d -
0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac -
6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b -
b066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9 -
205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964 -
f5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c -
4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0
Observables (42)
816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd01948f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765b3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4a18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb887bf4b152d9548f415f12f353f988b5442729e7f24e2902ddfd0baa4a944354ac41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d328a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b099c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d17441891588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bde8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab30972371736ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406ccf27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d70ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f6716bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26d833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d41433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a549a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9c64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344ed4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdfdf5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c588095be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fceee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b572fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4bb066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964f5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 00:05 · Modified 21/12/2025 03:03
Techniques (MITRE) (20)
-
Valid Accounts
-
Encrypted Channel
-
Windows Credential Manager
-
Credentials from Web Browsers
-
Exfiltration Over Alternative Protocol
-
Disable Windows Event Logging
-
VNC
-
Exploitation for Privilege Escalation
-
Data Encrypted for Impact
-
Data from Local System
-
Obfuscated Files or Information
-
Data from Network Shared Drive
-
LSASS Memory
-
Disable or Modify Tools
-
Application Layer Protocol
-
Windows Service
-
Deobfuscate/Decode Files or Information
-
System Binary Proxy Execution
-
Remote Desktop Protocol
-
Service Execution
Malware (16)
-
FamilyPublished 13/05/2026 09:08 · Modified 13/05/2026 09:08
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 10/06/2026 11:58 · Modified 10/06/2026 11:58
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53
-
FamilyPublished 11/05/2026 16:15 · Modified 11/05/2026 16:15
-
FamilyPublished 01/05/2026 17:53 · Modified 01/05/2026 17:53