Trigona ransomware is back, and it has upgraded its playbook. New attacks observed in March 2026 show the group using a purpose-built data theft tool — one designed specifically to fly under the radar of modern security software. The shift marks one of the more technically significant developments in the ransomware landscape this year, and it raises a serious question: if attackers are now building custom tools to avoid detection, how well are organisations actually protected?
What Is Trigona Ransomware?
Trigona ransomware first appeared in late 2022. It operates under a Ransomware-as-a-Service (RaaS) model, meaning the core developers rent access to their malware to a network of affiliates who carry out the actual attacks. Each successful attack generates a cut for both the affiliate and the group behind it — a business model that has fuelled the explosive growth of ransomware over the past several years.
Trigona runs a double-extortion strategy. Attackers steal sensitive data before encrypting it, then demand a ransom. If the victim refuses to pay, the threat of publishing the stolen data adds another layer of pressure. The group demands payment in Monero, a privacy-focused cryptocurrency that is far harder to trace than Bitcoin.
In October 2023, the Ukrainian Cyber Alliance disrupted Trigona’s operations in a notable counterstrike. The hacktivist group breached Trigona’s own servers and made off with internal data, including source code and database records. The operation temporarily knocked the group offline. But the March 2026 attacks confirm that Trigona has resumed operations, and it has come back with sharper tools.
The Problem With Off-the-Shelf Exfiltration Tools
Most ransomware affiliates rely on publicly available tools to move stolen data out of compromised networks. Rclone and MegaSync are two of the most common. Both are legitimate cloud sync utilities that attackers have long repurposed for data theft. They are fast, reliable, and easy to use without specialist skills.
The problem, from an attacker’s perspective, is visibility. Security vendors have catalogued these tools so thoroughly that many endpoint protection products now flag them automatically when they appear in unusual contexts. For ransomware groups that depend on staying quiet during the exfiltration phase, this is a real liability. Get caught moving data and the entire attack can unravel before the ransomware even deploys.
That pressure appears to have pushed Trigona affiliates toward a different approach.
Trigona Ransomware’s Custom Exfiltration Tool
Symantec’s Threat Hunter Team identified the new tool during its analysis of the March 2026 attacks. The utility is named uploader_client.exe and operates from the command line. It connects to a hardcoded, attacker-controlled server and was assessed as purpose-built rather than a modified version of any existing public software.
The tool is built for speed and stealth. It opens five parallel connections per file, which saturates available bandwidth and gets data out fast. Because it is not a known utility, it does not carry the signatures that security products look for when scanning for common exfiltration software.
In one confirmed attack, the tool targeted folders on network drives containing invoices and PDF documents — exactly the kind of high-value, sensitive material that gives attackers leverage in ransom negotiations.
The creation of proprietary malware like this is relatively rare among ransomware affiliates. Most prefer to use what is already available, which keeps their barrier to entry low. Building a custom tool requires development time, technical skill, and ongoing maintenance. The fact that Trigona affiliates invested in this capacity points to a group that is growing more capable and more deliberate.
How the Full Attack Unfolds
The custom exfiltration tool does not operate in isolation. Symantec’s analysis of recent Trigona ransomware attacks reveals a structured, multi-stage attack chain designed to disable defences before data ever leaves the network.
Disabling Security Tools
The attackers begin by installing HRSword, a component of the Huorong Network Security Suite, as a kernel driver service. This gives them deep, low-level access to the system. They then deploy a suite of additional tools — PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcess — each capable of terminating endpoint protection processes.
Many of these tools exploit vulnerable kernel drivers to shut down security software at a level where standard user-mode protections cannot intervene. AnyDesk, a legitimate remote desktop application, provides persistent remote access throughout the operation.
Elevating Privileges
With security tools neutralised, the attackers use PowerRun to execute further payloads with elevated privileges. PowerRun can launch applications and scripts in ways that bypass the access restrictions most systems apply to untrusted processes. This lets the attackers operate with near-administrative freedom across the compromised environment.
Stealing and Encrypting Data
Once the network is open, uploader_client.exe moves the target data to attacker-controlled infrastructure. After exfiltration, the ransomware deploys and encrypts what remains. Victims are then presented with a ransom demand, backed by the threat of leaked data if they do not pay.
What This Means for Defenders
The shift to custom tooling changes the detection calculus for security teams. Behaviour-based detection — flagging suspicious activity patterns rather than known file signatures — becomes significantly more important when the attacker brings a tool that has never been seen before.
A few practical implications stand out. Monitoring for unusual outbound data transfers, especially high-volume or parallel-stream connections to unfamiliar external servers, can help catch exfiltration even when the tool itself is unknown. Restricting the use of kernel driver installations to authorised personnel limits the kind of deep-level access HRSword provides. Logging and alerting on the execution of remote access tools like AnyDesk outside normal operational windows adds another detection layer.
Symantec has published indicators of compromise (IoCs) associated with the latest Trigona activity. Security teams should incorporate these into their detection rules promptly.
Final Thoughts
Trigona ransomware has not just returned — it has returned with a more refined and harder-to-detect approach. The development of a custom exfiltration tool signals a level of technical investment that separates this group from the average ransomware affiliate. When attackers build their own tools to avoid your defences, relying on signature-based detection alone is not enough.
The March 2026 attacks are a reminder that ransomware groups adapt, rebuild, and come back with lessons learned. Staying ahead of them requires the same commitment to continuous improvement that the attackers themselves are clearly making.
