Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
Pulse ID: 69f97a8dd96a037ffe45c661
Pulse Link: https://otx.alienvault.com/pulse/69f97a8dd96a037ffe45c661
Pulse Author: Tr1sa111
Created: 2026-05-05 05:05:17
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #OTX #OpenThreatExchange #RAT #Trigona #bot #Tr1sa111
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
Trigona ransomware affiliates deployed a custom exfiltration tool called uploader_client.exe during attacks in March 2026, marking a tactical shift from relying on off-the-shelf utilities like Rclone. The tool features parallel streams with five default connections, connection rotation after 2,048 MB transfers to evade network monitoring, and granular filtering to exclude low-value files. Prior to exfiltration, attackers disabled security defenses using kernel-level tools including HRSword, PCHunter, Gmer, YDark, and WKTools with vulnerable drivers. Remote access was established via AnyDesk, while credentials were harvested using Mimikatz and Nirsoft utilities. The custom tooling demonstrates higher technical maturity compared to typical ransomware operations, providing enhanced stealth capabilities while requiring greater development resources. Targeted data included invoices and high-value PDF documents from networked drives.
Pulse ID: 69f4e8812c7240e62187fe72
Pulse Link: https://otx.alienvault.com/pulse/69f4e8812c7240e62187fe72
Pulse Author: AlienVault
Created: 2026-05-01 17:53:05
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AnyDesk #CyberSecurity #DataTheft #ELF #InfoSec #OTX #OpenThreatExchange #PDF #RAT #RCE #RansomWare #Rclone #Trigona #Word #bot #AlienVault
π° Trigona Ransomware Evolves, Using Custom Exfiltration Tool for Stealthier Data Theft
Trigona ransomware affiliates are upping their game, using a custom data exfiltration tool 'uploader_client.exe' for faster, stealthier attacks. The tool uses connection rotation and file filtering to evade detection. β οΈ #Ransomware #Trigona #ThreatIntel
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
Pulse ID: 69eeecb940f0fd3a950e8d4d
Pulse Link: https://otx.alienvault.com/pulse/69eeecb940f0fd3a950e8d4d
Pulse Author: Tr1sa111
Created: 2026-04-27 04:57:29
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #DataTheft #InfoSec #OTX #OpenThreatExchange #RAT #Trigona #bot #Tr1sa111
#Trigona #ransomware attacks use custom exfiltration tool to steal data
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft
Trigona ransomware affiliates have adopted a custom-developed exfiltration tool called uploader_client.exe in attacks observed during March 2026, marking a significant tactical evolution. This command-line utility features parallel data streams, connection rotation to evade network monitoring, and granular file filtering capabilities. The shift from commonly used off-the-shelf tools like Rclone to proprietary malware suggests attackers are attempting to maintain a lower profile during critical attack phases. Prior to data exfiltration, attackers deploy multiple security-disabling tools including HRSword, PCHunter, and various BYOVD utilities to terminate endpoint protection at the kernel level. Remote access is established through AnyDesk, while credential theft is conducted using Mimikatz and Nirsoft utilities. This custom tooling approach demonstrates a higher degree of technical maturity compared to typical ransomware affiliate operations.
Pulse ID: 69ea2ebf9d87464f7c54c08e
Pulse Link: https://otx.alienvault.com/pulse/69ea2ebf9d87464f7c54c08e
Pulse Author: AlienVault
Created: 2026-04-23 14:37:51
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AnyDesk #CyberSecurity #DataTheft #ELF #Endpoint #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Rclone #Trigona #Word #bot #AlienVault
The Trigona ransomware group has started using a custom tool for data exfiltration. This new command-line utility makes their attacks faster and more efficient.
#Trigona #Ransomware #CyberSecurity
https://verisizintisi.com/en/blog/2026-04-23-trigona-ransomware-uses-custom-exfiltration-tool
RE: https://infosec.exchange/@PagedOut/115315462232710825
PagedOut #7 is out. I recomment page 66 ;-)
The slides I presented last Saturday at Barbhack are available here: https://www.fortiguard.com/events/6189/barb-hack-2025-decompile-linux-malware-with-r2ai
I've already presented on r2ai. What's new here is (1) the analysis of a complex ransomware such as Linux/Trigona, and (2) learn to tweak context size, output token limits etc to get the best out of your LLM.
Enjoy!
NB. One of the demos is available here: https://asciinema.org/a/pBPEaJhp6cunWSKFpBUDTgPt4
<p>This talk presents 2 different Linux malware:</p><ul><li><p>a shellcode, named Linux/Shellcode_ConnectBack.H!tr. The binary is small and compact, but traditional disassemblers like Ghidra fail to produce understandable decompiled code. With AI assistance in Radare 2, we manage to get far better code. There are few things to fix in the code though.</p></li><li><p>a ransomware, named Linux/Trigona. This binary is bigger and more complex. We analyze with AI, but there are several technical issues due to its size, because the AI context is too big. We show how to workaround the issue, by configuration of r2ai, adequate choice of model, different prompts and different approaches.</p></li></ul>
I've very happy to speak at Barb'hack on Saturday.
barbhack.fr/2025/fr/conf...
There will be 2 demos.
One live.
One recorded - simply because I don't have the guts to do it live ;P
We reverse engineer Linux/Trigona and Linux/Shellcode with radare2 + AI + HI
HI standards for Human Intelligence ;P
OTX Bot
CyberNetsecIO
The New Oil
Veri SΔ±zΔ±ntΔ±sΔ± Research
cryptax