DATABREACHES [.]Net reports that Trigona affiliates have deployed a custom exfiltration tool to streamline data theft, marking a shift from using off‑the‑shelf utilities to a tool that offers granular control over the theft process. The attacks occurred in March 2026, according to the threat-hunting team at Symantec and Carbon Black, with the motivation for moving away from publicly available tools described as unknown.
Trigona, which first appeared in late 2022, is operated as a Ransomware-as-a-Service by a cybercrime group Symantec calls Rhantus. DataBreaches cannot find any group called “Rhantus” on ransomlook[.]io or ransomware[.]live, and they note there is no publicly known leak site under that name. The article also notes that data‑exfiltration tooling has historically relied on tools like Rclone or MegaSync, but the new custom tool is designed to provide attackers with more control during the data theft process. Read more about their custom malware at security[.]com.