{ "name": "Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft", "slug": "trigona-affiliates-deploy-custom-exfiltration-tool-to-streamline-data-theft", "description": "Trigona ransomware affiliates deployed a custom exfiltration tool called uploader_client.exe during attacks in March 2026, marking a tactical shift from relying on off-the-shelf utilities like Rclone. The tool features parallel streams with five default connections, connection rotation after 2,048 MB transfers to evade network monitoring, and granular filtering to exclude low-value files. Prior to exfiltration, attackers disabled security defenses using kernel-level tools including HRSword, PCHunter, Gmer, YDark, and WKTools with vulnerable drivers. Remote access was established via AnyDesk, while credentials were harvested using Mimikatz and Nirsoft utilities. The custom tooling demonstrates higher technical maturity compared to typical ransomware operations, providing enhanced stealth capabilities while requiring greater development resources. Targeted data included invoices and high-value PDF documents from networked drives.", "published": "2026-05-01T17:53:05.949000+00:00", "created_at": "2026-05-04T14:32:28.719000+00:00", "modified_at": "2026-05-04T12:32:29+00:00", "created_at_opencti": "2026-05-04T14:32:28.719000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "dumpguard", "gogra", "malextractor", "trigona" ], "tags": [ "2026-04-23", "2026-05-01", "dumpguard", "gogra", "hrsword", "kernel driver abuse", "malextractor", "ransomware-as-a-service", "stpprocessmonitorbyovd", "trigona", "wktools" ], "related_entities": { "indicators": [ { "id": "a5c3869b-18ea-4cb9-85c0-f5ae45c112e7", "name": "816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019" }, { "id": "0263160e-7502-4dbd-89f2-b7cb212c93e8", "name": "48f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765" }, { "id": "01b63a62-9c20-4580-80dc-9d30f92fb197", "name": "b3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4" }, { "id": "623753cd-1bfa-4814-8013-3da5bca5d6d9", "name": "a18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb8" }, { "id": "bcb11dea-9b32-442e-bcb6-12214668fa4f", "name": "87bf4b152d9548f415f12f353f988b5442729e7f24e2902ddfd0baa4a944354a" }, { "id": "7503d473-976b-4916-90d0-ba0108c9f1f7", "name": "c41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc" }, { "id": "8a68c2de-d0c1-445e-bdef-d32ce8756c15", "name": "2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32" }, { "id": "22eeb5f6-bc2e-4c11-ae21-df8c548b29b6", "name": "8a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b0" }, { "id": "d8e7aa93-6e33-40b9-81a2-712a961786c0", "name": "99c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d1744189" }, { "id": "218ebf48-8488-4f88-99a5-855d1b6773e1", "name": "1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd" }, { "id": "e7316a4c-3eea-4307-9b93-2e66516c8e9a", "name": "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173" }, { "id": "5d5af8ba-d92d-4a46-8311-8c5ab3e5ee99", "name": "6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc" }, { "id": "1eed82d9-739b-4fe5-80a8-b9220d914211", "name": "f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb" }, { "id": "a068954f-69b8-4f65-a86c-5fe8d786d285", "name": "73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d7" }, { "id": "e715e1d3-2ffe-475f-b6ac-7299e8578b90", "name": "0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068" }, { "id": "c6535a5c-10e6-4912-aa48-33d73bfc6e69", "name": "598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a" }, { "id": "4b3c6301-f6e0-4a29-8063-5f746c1e5a21", "name": "35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f671" }, { "id": "4c6b1616-ebbf-42ad-be43-5498dd111db5", "name": "6bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb" }, { "id": "b0167017-8f40-40a5-a54a-ec9f4f8bd934", "name": "7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26" }, { "id": "6072baee-f8e4-4ccc-9f19-33e2553d6f50", "name": "d833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888" }, { "id": "e07b09da-2932-41d2-b700-d48ac43881a8", "name": "c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4" }, { "id": "37f8f7df-39cd-47c4-96e2-61b85aca2eb1", "name": "1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5" }, { "id": "26d568aa-939c-4272-8a89-70af6c82f89c", "name": "49a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be" }, { "id": "fc0c1dda-5e3c-4095-a96f-890750d0659b", "name": "207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9" }, { "id": "82e04775-f1e7-4c43-858b-30c2c0d53a1e", "name": "c64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4" }, { "id": "8cf449d9-d115-41a5-9323-b2f51e9958f0", "name": "771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344e" }, { "id": "447fb6eb-96f2-42fa-b665-75470cfbf5dc", "name": "d4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff" }, { "id": "339d361d-5d4b-481f-a86c-c46e01985f0a", "name": "396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc" }, { "id": "ddd55e84-f2a6-466b-b746-2d447e6480a6", "name": "274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf" }, { "id": "1a05ad84-01ef-4949-ade9-9ff80736249c", "name": "df5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c58809" }, { "id": "50c00149-fd76-4290-8488-92b8ac6fd7a1", "name": "5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd" }, { "id": "2dcc1c19-a10c-4c3b-a7f8-53496c28f6c8", "name": "647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fc" }, { "id": "fc6ee360-6ba1-429b-a788-e809a62f6ef7", "name": "eee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf" }, { "id": "8a2fa0ec-ab0b-4dc5-b1b7-e404d586db87", "name": "6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a" }, { "id": "a4319bc0-0b4d-4e1f-9c3b-8b21d0a21503", "name": "4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b5" }, { "id": "99838010-f161-4773-af78-fbb3541aa8d1", "name": "72fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d" }, { "id": "883a3bd0-ddc8-42a5-9d43-c7b3433602c4", "name": "0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac" }, { "id": "15c584fc-4a57-4506-8372-c99f5ca96f25", "name": "6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b" }, { "id": "4c050bb7-f1c3-400b-85cc-a19ad3b3a194", "name": "b066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9" }, { "id": "04829a3f-3848-44b4-8f0e-1c9b4729dea3", "name": "205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964" }, { "id": "7b282eb6-181e-49a4-b3ec-ae8e376153e6", "name": "f5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c" }, { "id": "9a8a2133-8f97-463b-993f-063e19d442f9", "name": "4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0" } ], "intrusion_sets": [ { "id": "f7eca01f-e752-417b-9456-4ef4701660af", "name": "Trigona", "slug": "trigona" } ], "attack_patterns": [ { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "dc95727c-35a5-48da-bf67-ddc7e618c00c", "name": "T1555.004" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "0ca071fb-4f52-4672-b64a-75deff57d874", "name": "T1048" }, { "id": "0da3020a-9d7a-4c48-816a-bbd47a861398", "name": "T1562.002" }, { "id": "bc870287-08a5-4827-ab21-28bbb31e2a25", "name": "T1021.005" }, { "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664", "name": "T1068" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "a1de6d30-7fd6-4352-8f6c-d9904347f33f", "name": "T1039" }, { "id": "e6c0ca23-78ee-4b0e-96fa-e80efab3665d", "name": "T1003.001" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "b15c00da-c412-4429-900c-659de612baf5", "name": "T1543.003" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "195d9773-4de3-4f61-b94d-a2b53cb65608", "name": "T1021.001" }, { "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3", "name": "T1569.002" } ], "malware": [ { "id": "09649613-0004-417a-8ee7-85a78de687fe", "name": "PowerRun", "slug": "powerrun" }, { "id": "6dae2443-7fd0-4be1-bf2c-c74987747bed", "name": "StpProcessMonitorByovd", "slug": "stpprocessmonitorbyovd" }, { "id": "b704d955-05fc-48bd-8397-691183565e65", "name": "Trigona", "slug": "trigona" }, { "id": "db2a705d-f284-44cf-8b44-9510b29cc805", "name": "Volgmer - S0180", "slug": "volgmer-s0180" }, { "id": "8c099708-aaaf-47c6-9ba9-1a585df6ba99", "name": "DumpGuard", "slug": "dumpguard" }, { "id": "ad76ac92-a39c-455e-9f4e-53780f23c79f", "name": "GoGra", "slug": "gogra" }, { "id": "fa0b0e9c-4965-45d3-a3aa-51dae618864a", "name": "PCHunter", "slug": "pchunter" }, { "id": "ac43880a-c270-4a43-a958-178bd959008a", "name": "WKTools", "slug": "wktools" }, { "id": "a56aa03c-99a6-44f7-886b-9d198c541fc2", "name": "YDark", "slug": "ydark" }, { "id": "9ead0e4a-a81e-4d81-b05d-cb75cab8d960", "name": "StartBat", "slug": "startbat" }, { "id": "cb345edd-79b2-403a-9599-9495187ab84f", "name": "MalExtractor", "slug": "malextractor" }, { "id": "7193649e-f5a2-4601-8529-3e35ea193839", "name": "AnyDesk", "slug": "anydesk" }, { "id": "16dccda4-9e78-4809-a647-63ac4e2b9bfb", "name": "uploader_client.exe", "slug": "uploader_clientexe" }, { "id": "cb0561f3-064b-4e93-88f1-e5d7a5f4d2ab", "name": "HRSword", "slug": "hrsword" }, { "id": "dce99d4d-6307-4cd3-9554-4caa32be8459", "name": "mimikatz", "slug": "mimikatz" }, { "id": "5005d0c8-2f25-466f-bf62-b67c6427f8be", "name": "ParsVbs", "slug": "parsvbs" } ], "observables": [ { "id": "", "name": "816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019" }, { "id": "", "name": "48f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765" }, { "id": "", "name": "b3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4" }, { "id": "", "name": "a18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb8" }, { "id": "", "name": "87bf4b152d9548f415f12f353f988b5442729e7f24e2902ddfd0baa4a944354a" }, { "id": "", "name": "c41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc" }, { "id": "", "name": "2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32" }, { "id": "", "name": "8a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b0" }, { "id": "", "name": "99c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d1744189" }, { "id": "", "name": "1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd" }, { "id": "", "name": "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173" }, { "id": "", "name": "6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc" }, { "id": "", "name": "f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb" }, { "id": "", "name": "73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d7" }, { "id": "", "name": "0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068" }, { "id": "", "name": "598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a" }, { "id": "", "name": "35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f671" }, { "id": "", "name": "6bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb" }, { "id": "", "name": "7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26" }, { "id": "", "name": "d833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888" }, { "id": "", "name": "c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4" }, { "id": "", "name": "1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5" }, { "id": "", "name": "49a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be" }, { "id": "", "name": "207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9" }, { "id": "", "name": "c64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4" }, { "id": "", "name": "771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344e" }, { "id": "", "name": "d4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff" }, { "id": "", "name": "396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc" }, { "id": "", "name": "274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf" }, { "id": "", "name": "df5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c58809" }, { "id": "", "name": "5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd" }, { "id": "", "name": "647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fc" }, { "id": "", "name": "eee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf" }, { "id": "", "name": "6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a" }, { "id": "", "name": "4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b5" }, { "id": "", "name": "72fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d" }, { "id": "", "name": "0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac" }, { "id": "", "name": "6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b" }, { "id": "", "name": "b066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9" }, { "id": "", "name": "205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964" }, { "id": "", "name": "f5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c" }, { "id": "", "name": "4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0" } ] }, "external_refs": [ { "id": "fabe3595-2ab9-443a-8414-8584d465c346", "standard_id": "external-reference--1a1d53d9-2e5b-5a80-a0de-62ac5facd975", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/69f4e8812c7240e62187fe72", "hash": null, "external_id": "69f4e8812c7240e62187fe72", "created": "2026-05-04T14:32:28.473Z", "modified": "2026-05-04T14:32:28.473Z", "createdById": null }, { "id": "c1a2344f-4e35-411a-a3f4-ffeeafbcd3be", "standard_id": "external-reference--74ee6f47-13af-5b45-8ce4-1aa5c2591718", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://www.security.com/threat-intelligence/trigona-exfiltration-custom", "hash": null, "external_id": null, "created": "2026-05-04T14:32:28.512Z", "modified": "2026-05-04T14:32:28.512Z", "createdById": null } ] }