TRIGONA ransomware now uses a custom command-line tool to exfiltrate data faster and evade detection, replacing tools like Rclone and MegaSync, according to Symantec. The shift, observed in March 2026 incidents, gives attackers more control and helps them avoid security alerts, with researchers noting a growing investment in proprietary malware to stay stealthy.
The attackers rely on a tool named uploader_client.exe to speed up data transfer, keeping multiple parallel connections and rotating connections after a set volume of data (default 2,048 MB) to hinder network monitoring. They can filter out large, low-value files and target sensitive data such as invoices and high-value PDFs on network drives, using an authentication key to secure access.
Before deployment, they disable protections with utilities like HRSword, PCHunter and GMER, and often abuse vulnerable kernel drivers; they also access systems remotely via AnyDesk and harvest credentials using Mimikatz and Nirsoft utilities. Trigona operates as ransomware-as-a-service linked to the Rhantus group, having been active since late 2022.