Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
T3MP3ST Security Framework Uses AI to Automate 0-Day Vulnerability Discovery
July 5, 2026
Flipper Zero Firmware Updates Enhance Security, Introduce Community Guidelines
July 5, 2026
Mythos Ransomware Returns, Kali Linux 2024.2 Released, WhatsApp Vulnerability
July 5, 2026
Home/Threats/Ransomware Hackers Create Custom Tool to Steal Sensitive Data
Threats

Ransomware Hackers Create Custom Tool to Steal Sensitive Data

Key Takeaways Affiliates of the Trigona ransomware group are now employing a custom-built tool for data exfiltration, moving away from common, easily detectable utilities. This new tool, dubbed...

Emy Elsamnoudy
Emy Elsamnoudy
April 24, 2026 3 Min Read
52 0

Key Takeaways

  • Affiliates of the Trigona ransomware group are now employing a custom-built tool for data exfiltration, moving away from common, easily detectable utilities.
  • This new tool, dubbed “uploader_client.exe,” is designed for speed, stealth, and targeted extraction of high-value data such as financial invoices and PDF documents.
  • The attackers implement sophisticated pre-attack steps, including disabling security software using repurposed kernel drivers and harvesting credentials, to ensure successful data theft.
  • This development signals a significant increase in the technical sophistication and resource investment by some ransomware groups, posing a heightened risk to organizations.

Ransomware operations are undergoing a notable evolution, with affiliates of the Trigona group now deploying a bespoke data exfiltration tool. This strategic shift moves beyond reliance on widely available utilities, indicating a calculated escalation in their capabilities for precision, speed, and control during data breaches.

Table Of Content

  • Key Takeaways
  • From Off-the-Shelf to Custom-Built
  • The “uploader_client.exe” Tool
  • Defense Evasion and Pre-Attack Setup
  • What You Should Do

The Trigona ransomware, which first emerged in late 2022, operates under a Ransomware-as-a-Service (RaaS) model and is managed by the cybercrime syndicate known as Rhantus.

From Off-the-Shelf to Custom-Built

For years, many ransomware groups leveraged public tools like Rclone or MegaSync to transfer stolen data. While effective, these utilities have become widely recognized by security vendors, making their detection by defensive systems more straightforward.

The adoption of a purpose-built exfiltration tool underscores a growing technical proficiency and a more deliberate approach by these attackers. This investment in proprietary malware suggests a strategic effort to maintain a lower profile during the critical data theft phase of their campaigns.

Symantec’s Threat Hunter Team identified these advanced tactics in March 2026, highlighting this change as a significant development in the Trigona group’s operational behavior. Such a commitment to developing custom tools is relatively uncommon among ransomware affiliates, who typically opt for the efficiency of readily available solutions.

The “uploader_client.exe” Tool

The custom tool, identified as “uploader_client.exe,” functions as a command-line utility designed to connect to an attacker-controlled server. In a documented incident, this tool specifically targeted folders containing financial invoices and high-value PDF documents located on networked drives. This precise targeting demonstrates the group’s understanding of which data holds the most value and their ability to craft tools specifically for its extraction.

This development extends beyond a single ransomware campaign, reflecting a broader trend where some threat actors are investing in research and development, structuring their cybercrime operations with the same rigor as legitimate software projects. Organizations across sectors that manage sensitive financial records or confidential documents face increased risk as these sophisticated, harder-to-detect tools become more prevalent.

Defense Evasion and Pre-Attack Setup

Before initiating data exfiltration with their custom tool, the attackers meticulously dismantled the target’s existing security measures. They installed HRSword, a kernel driver component of the Huorong Network Security Suite, and repurposed it to disable security software on the victim’s machine.

In conjunction with HRSword, several other tools were deployed, including PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitor BYOVD. Many of these leverage vulnerable kernel drivers to terminate endpoint protection processes, effectively bypassing standard user-mode defenses by operating at the deepest levels of the operating system.

Remote access to compromised machines was established via AnyDesk, a legitimate remote desktop application. To further entrench their presence, the attackers utilized Mimikatz and various Nirsoft password recovery utilities to harvest credentials from browsers and applications. PowerRun was employed to execute these tools with elevated system privileges, granting administrative access throughout the attack chain.

The “uploader_client.exe” tool itself is engineered for both efficiency and covert operation. It defaults to five parallel connections per file to maximize transfer speed, rotates TCP connections after every 2,048 MB of data to evade network monitoring, and employs an “–exclude-ext” flag to bypass low-priority media files, focusing exclusively on high-value documents. A shared authentication key also secures the stolen data once it reaches the attacker’s server, preventing unauthorized access.

What You Should Do

  • Monitor Remote Access Tools: Implement stringent monitoring for unauthorized use of remote access applications like AnyDesk within your environment.
  • Enhance Endpoint Detection: Configure endpoint detection systems to flag kernel-level driver activity associated with tools such as PCHunter or Gmer.
  • Maintain Current Endpoint Protection: Ensure all endpoint protection software is consistently updated to its latest versions.
  • Detect Unusual Network Traffic: Establish network traffic monitoring to identify unusual high-volume or rapidly rotating outbound connections.
  • Restrict Access to Sensitive Data: Regularly review and restrict access to sensitive document folders on networked drives to minimize the risk of targeted exfiltration.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwareransomwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

SS7, Diameter Flaws Let Attackers Track Mobile Users Globally

Next Post

Hackers Exploit Critical React2Shell Vulnerability via Telegram Bots

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us