Ransomware Hackers Use Custom Tool to Steal Sensitive

Ransomware groups are evolving their tactics beyond reliance on common tools for data theft. Affiliates connected to the Trigona ransomware group have developed their own custom data exfiltration tool, a strategic shift offering enhanced precision, speed, and control during data breaches. This bespoke tool marks a calculated escalation in their operations, moving away from widely known utilities to a more tailored approach for stealing sensitive

The Trigona ransomware first surfaced in late 2022 and operates under a Ransomware-as-a-Service (RaaS) model, managed by a cybercrime group known as Rhantus.

For years, many ransomware groups depended on publicly available utilities such as Rclone or MegaSync to move stolen data. Those tools, while effective, have become widely recognized by security vendors, making them easier to detect.

The shift toward a purpose-built tool signals that the attackers are growing more technically capable and more deliberate in how they conduct their operations.

Symantec’s Threat Hunter Team identified the attacks in March 2026 and noted that this change in tactics represents a meaningful development in the Trigona group’s behavior.

The researchers observed that the attackers appear to be investing significant time and resources into developing proprietary malware, likely to maintain a lower profile during the most sensitive phase of their attack: stealing the data.

This kind of technical investment is relatively rare among ransomware affiliates, most of whom prefer the speed and convenience of off-the-shelf solutions.

The custom tool, named “uploader_client.exe,” is a command-line utility that connects to a hardcoded attacker-controlled server.

In one confirmed incident, the tool was used to target folders holding financial invoices and high-value PDF documents stored on networked drives.

This level of targeting shows that the group knows exactly what kind of data carries the most value and is building tools specifically around extracting it.

The broader impact of this development goes beyond a single ransomware campaign. It shows that some threat actors are willing to invest in research and development, treating cybercrime operations with the same structure and discipline as a legitimate software project.

Organizations across industries that handle sensitive financial records or confidential documents are at heightened risk as these tools grow more sophisticated and harder to detect.

Defense Evasion and Pre-Attack Setup

Before deploying the custom uploader, the attackers took deliberate steps to strip away the target’s defenses.

They installed HRSword, a kernel driver component of the Huorong Network Security Suite, and repurposed it as a tool to disable security software on the victim’s machine.

Alongside HRSword, several other tools were deployed, including PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitor BYOVD.

Many of these tools exploit vulnerable kernel drivers to terminate endpoint protection processes, bypassing standard user-mode defenses by operating at the deepest level of the operating system.

Remote access to infected machines was established through AnyDesk, a legitimate remote desktop application.

To further their foothold, the attackers used Mimikatz and a collection of Nirsoft password recovery utilities to harvest credentials stored in browsers and applications.

PowerRun was used to execute several of these tools with elevated system privileges, giving the attackers administrative-level access throughout the attack chain.

The uploader_client.exe tool itself is engineered for both speed and stealth. It defaults to five parallel connections per file to maximize transfer speed, rotates TCP connections after every 2,048 MB of data to avoid triggering network monitoring systems, and uses an “–exclude-ext” flag to skip low-priority media files like videos and audio, focusing only on high-value documents.

A shared authentication key also prevents unauthorized parties from accessing the stolen data once it reaches the attacker’s server.

Organizations are strongly advised to monitor for unauthorized use of remote access tools like AnyDesk in their environments.

Endpoint detection systems should be configured to flag kernel-level driver activity from tools such as PCHunter or Gmer.

Keeping endpoint protection software current is essential, and network traffic monitoring should be set to detect unusual high-volume or rapidly rotating outbound connections.

Reviewing and restricting access to sensitive document folders on networked drives can also reduce the risk of targeted exfiltration attempts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.