What happened
Symantec researchers have documented a resurgence of Trigona ransomware activity, with recent March 2026 attacks deploying a custom data exfiltration tool designed to move stolen data faster and avoid detection by security solutions that flag commonly used tools like Rclone and MegaSync.
The custom utility, named uploader_client.exe, connects to a hardcoded server address and is built for speed and evasion. It supports five simultaneous connections per file for parallel uploads, rotates TCP connections after every 2GB of traffic to evade network monitoring, allows selective exfiltration by file type to skip large low-value media files, and uses an authentication key to restrict access to the stolen data. In at least one confirmed incident, the tool was used to steal invoices and PDFs from network drives.
The broader attack chain begins with the installation of Huorong Network Security Suite’s HRSword as a kernel driver service, followed by a suite of tools designed to disable endpoint protection products including PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd, many of which exploit vulnerable kernel drivers to terminate security processes. PowerRun is used to launch executables with elevated privileges to bypass user-mode protections. AnyDesk provides remote access, while Mimikatz and Nirsoft utilities handle credential theft and password recovery.
Trigona launched as a double-extortion operation in October 2022 and was disrupted by Ukrainian cyber activists in October 2023, who hacked its servers and stole source code and internal data. The current activity suggests the group has resumed operations. Symantec attributes the recent attacks to a gang affiliate and has published indicators of compromise.
Who is affected
Organizations with network-accessible file shares containing high-value document types, including financial records and PDFs, are the confirmed target of the exfiltration phase. The use of kernel driver exploits to disable endpoint protection means organizations relying primarily on endpoint security as their detection layer face elevated exposure.
Why CISOs should care
The shift to a custom exfiltration tool is a deliberate investment in operational security. By replacing off-the-shelf tools that reliably trigger alerts, Trigona’s affiliate is extending the window between initial access and detection. The TCP rotation after 2GB of traffic and parallel upload design suggest the tool was built specifically to blend into normal network activity patterns rather than generate the kind of sustained high-volume transfer signatures that DLP and network monitoring tools are tuned to catch.
The resurgence itself is also worth noting. Groups that suffer significant disruption, including server seizures and source code theft, are increasingly re-emerging rather than dissolving.
3 practical actions
- Hunt for the documented Trigona indicators of compromise now: Symantec has published IoCs associated with the latest activity. Cross-reference these against endpoint telemetry, network logs, and file system activity, particularly looking for uploader_client.exe, HRSword kernel driver installations, and the presence of PCHunter, Gmer, or YDark on production systems.
- Monitor for kernel driver abuse and endpoint protection termination attempts: The attack chain specifically targets security tools using vulnerable kernel drivers. Implement alerting on unexpected kernel driver installations and on processes attempting to terminate or suspend endpoint security services, which are reliable indicators of pre-ransomware staging activity.
- Review network monitoring rules for low-volume, sustained exfiltration patterns: The TCP rotation after 2GB is designed to break up exfiltration into chunks that avoid volume-based thresholds. Tune network detection rules to flag sustained outbound connections to unfamiliar endpoints regardless of per-session volume, and audit file access patterns on network drives for unusual bulk reads of document file types.
Also in the news today:
- Over 10,000 Zimbra Servers Vulnerable to Ongoing XSS Attacks
- Firestarter Malware Survives Cisco Firewall Updates and Security Patches
- ADT Confirms Data Breach After ShinyHunters Leak Threat
- Threat Actor Uses Microsoft Teams to Deploy New Snow Malware Suite
- Pentagon Grapples With Securing AI as It Moves Toward Autonomous Warfare
- NASA Employees Duped in Chinese Phishing Scheme Targeting Defense Software
- Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions
