Ransomware Hackers Create Custom Tool to Steal Sensitive Data
Key Takeaways Affiliates of the Trigona ransomware group are now employing a custom-built tool for data exfiltration, moving away from common, easily detectable utilities. This new tool, dubbed...
Key Takeaways
- Affiliates of the Trigona ransomware group are now employing a custom-built tool for data exfiltration, moving away from common, easily detectable utilities.
- This new tool, dubbed “uploader_client.exe,” is designed for speed, stealth, and targeted extraction of high-value data such as financial invoices and PDF documents.
- The attackers implement sophisticated pre-attack steps, including disabling security software using repurposed kernel drivers and harvesting credentials, to ensure successful data theft.
- This development signals a significant increase in the technical sophistication and resource investment by some ransomware groups, posing a heightened risk to organizations.
Ransomware operations are undergoing a notable evolution, with affiliates of the Trigona group now deploying a bespoke data exfiltration tool. This strategic shift moves beyond reliance on widely available utilities, indicating a calculated escalation in their capabilities for precision, speed, and control during data breaches.
Table Of Content
The Trigona ransomware, which first emerged in late 2022, operates under a Ransomware-as-a-Service (RaaS) model and is managed by the cybercrime syndicate known as Rhantus.
From Off-the-Shelf to Custom-Built
For years, many ransomware groups leveraged public tools like Rclone or MegaSync to transfer stolen data. While effective, these utilities have become widely recognized by security vendors, making their detection by defensive systems more straightforward.
The adoption of a purpose-built exfiltration tool underscores a growing technical proficiency and a more deliberate approach by these attackers. This investment in proprietary malware suggests a strategic effort to maintain a lower profile during the critical data theft phase of their campaigns.
Symantec’s Threat Hunter Team identified these advanced tactics in March 2026, highlighting this change as a significant development in the Trigona group’s operational behavior. Such a commitment to developing custom tools is relatively uncommon among ransomware affiliates, who typically opt for the efficiency of readily available solutions.
The “uploader_client.exe” Tool
The custom tool, identified as “uploader_client.exe,” functions as a command-line utility designed to connect to an attacker-controlled server. In a documented incident, this tool specifically targeted folders containing financial invoices and high-value PDF documents located on networked drives. This precise targeting demonstrates the group’s understanding of which data holds the most value and their ability to craft tools specifically for its extraction.
This development extends beyond a single ransomware campaign, reflecting a broader trend where some threat actors are investing in research and development, structuring their cybercrime operations with the same rigor as legitimate software projects. Organizations across sectors that manage sensitive financial records or confidential documents face increased risk as these sophisticated, harder-to-detect tools become more prevalent.
Defense Evasion and Pre-Attack Setup
Before initiating data exfiltration with their custom tool, the attackers meticulously dismantled the target’s existing security measures. They installed HRSword, a kernel driver component of the Huorong Network Security Suite, and repurposed it to disable security software on the victim’s machine.
In conjunction with HRSword, several other tools were deployed, including PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitor BYOVD. Many of these leverage vulnerable kernel drivers to terminate endpoint protection processes, effectively bypassing standard user-mode defenses by operating at the deepest levels of the operating system.
Remote access to compromised machines was established via AnyDesk, a legitimate remote desktop application. To further entrench their presence, the attackers utilized Mimikatz and various Nirsoft password recovery utilities to harvest credentials from browsers and applications. PowerRun was employed to execute these tools with elevated system privileges, granting administrative access throughout the attack chain.
The “uploader_client.exe” tool itself is engineered for both efficiency and covert operation. It defaults to five parallel connections per file to maximize transfer speed, rotates TCP connections after every 2,048 MB of data to evade network monitoring, and employs an “–exclude-ext” flag to bypass low-priority media files, focusing exclusively on high-value documents. A shared authentication key also secures the stolen data once it reaches the attacker’s server, preventing unauthorized access.
What You Should Do
- Monitor Remote Access Tools: Implement stringent monitoring for unauthorized use of remote access applications like AnyDesk within your environment.
- Enhance Endpoint Detection: Configure endpoint detection systems to flag kernel-level driver activity associated with tools such as PCHunter or Gmer.
- Maintain Current Endpoint Protection: Ensure all endpoint protection software is consistently updated to its latest versions.
- Detect Unusual Network Traffic: Establish network traffic monitoring to identify unusual high-volume or rapidly rotating outbound connections.
- Restrict Access to Sensitive Data: Regularly review and restrict access to sensitive document folders on networked drives to minimize the risk of targeted exfiltration.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.