Ransomware Hackers Build Custom Tool to Steal Sensitive Data Faster

Ransomware affiliates linked to Trigona have started using a custom command-line tool to steal data from compromised networks before encryption. The tool, named uploader_client.exe, gives the attackers more control over what they steal, how fast they move it, and how quietly they can operate during the pre-ransomware stage.

Symantec’s Threat Hunter Team observed the tool in March 2026 attacks and said the shift likely reflects an effort to avoid common exfiltration utilities such as Rclone and MegaSync. Those tools still work, but security products now flag them more often because ransomware groups have abused them for years.

The change matters because data theft has become one of the most important parts of a ransomware attack. Even if a company restores encrypted systems from backups, attackers can still threaten to leak invoices, contracts, customer records, source code, or internal documents.

Trigona affiliates move beyond common tools

Trigona first appeared in 2022 as a ransomware operation that used double-extortion tactics. The group encrypted files, added the “._locked” extension, and demanded ransom payments in Monero, according to public reporting.

The operation suffered a major disruption in October 2023, when Ukrainian cyber activists reportedly breached Trigona’s infrastructure and exposed internal data. Recent activity suggests affiliates or related operators have continued attacks with updated tooling.

SC Media reported that Trigona affiliates began using the new custom uploader in March 2026. The tool replaced the group’s earlier reliance on public utilities for the data theft phase, which signals a more careful and technically mature approach.

How the custom exfiltration tool works

Feature	What it does	Why it matters
Five parallel connections	Uploads each file through multiple streams	Speeds up data theft
TCP rotation after 2,048 MB	Changes connections after large data transfers	May reduce network detection
Hardcoded server address	Sends stolen data to attacker infrastructure	Removes the need for manual setup
Shared authentication key	Limits access to stolen data on the server	Keeps stolen files under attacker control
--exclude-ext flag	Skips selected file types such as audio or video	Focuses on high-value documents

The tool connects to a hardcoded attacker-controlled server and moves data through multiple parallel transfers. BleepingComputer reported that it supports five simultaneous connections per file, which helps attackers move large amounts of data quickly.

It also rotates TCP connections after every 2,048 MB of traffic by default. That behavior can make network monitoring harder because the same connection does not carry the entire transfer from start to finish.

The tool also supports selective theft. In one incident, attackers used it to target folders containing invoices and PDF documents on network drives, which suggests they were looking for business records that could create pressure during ransom negotiations.

Attackers disabled defenses before stealing data

Before using the custom uploader, the attackers tried to weaken endpoint protection. Symantec observed the installation of HRSword, a component of the Huorong Network Security Suite, as a kernel driver service on breached systems.

The attackers also deployed tools such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd. Several of these tools can support bring your own vulnerable driver activity, where attackers abuse signed but vulnerable drivers to interfere with security software at a deeper system level.

PowerRun was used to run some tools with elevated privileges. The attackers also used AnyDesk for remote access, while Mimikatz and Nirsoft password recovery utilities helped them collect credentials from compromised machines.

Attack chain observed in recent Trigona activity

Attack stage	Tools or behavior observed
Remote access	AnyDesk
Defense evasion	HRSword, PCHunter, Gmer, YDark, WKTools, DumpGuard, StpProcessMonitorByovd
Privilege elevation	PowerRun
Credential theft	Mimikatz and Nirsoft utilities
Data theft	uploader_client.exe
Targeted data	Invoices, PDFs, and sensitive documents on network drives

This attack chain shows that the custom uploader was not an isolated tool. It was part of a larger intrusion workflow that included remote access, credential theft, endpoint tampering, and targeted document collection.

That sequence also explains why the data theft phase can be difficult to catch. By the time attackers start uploading files, they may already have disabled security tools, stolen credentials, and gained broad access across network shares.

For defenders, the warning is clear: unusual outbound traffic may not be the first sign of compromise. AnyDesk activity, kernel driver abuse, failed endpoint protection processes, and suspicious credential tools may appear earlier in the attack.

Why custom ransomware tools are harder to detect

Many ransomware groups use public tools because they are easy to obtain and reliable. Rclone, MegaSync, and similar utilities can move large amounts of data to cloud storage without requiring attackers to write their own malware.

The drawback for attackers is visibility. Security teams know these tools, and many endpoint products already monitor for suspicious use of them during ransomware incidents.

A custom uploader can reduce that visibility, at least until vendors identify it and publish detections. Symantec said this kind of investment may help attackers maintain a lower profile during a critical phase of their attacks.

What organizations should monitor

Security teams should watch for unauthorized use of AnyDesk and other remote access tools, especially when they appear on servers or endpoints that do not normally use them.

They should also monitor for kernel-level tools that can interfere with endpoint protection. Activity involving HRSword, PCHunter, Gmer, YDark, WKTools, DumpGuard, or StpProcessMonitorByovd should trigger immediate review.

Network teams should review large outbound transfers, repeated connection rotation, and traffic patterns that show multiple parallel connections from file servers or systems with access to sensitive documents.

Practical defense checklist

• Restrict AnyDesk and other remote access tools to approved devices only.
• Alert on new or unexpected remote desktop sessions.
• Monitor for HRSword, PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd.
• Block or investigate suspicious kernel driver activity.
• Watch for Mimikatz and Nirsoft password recovery utilities.
• Review unusual outbound traffic from file servers and network shares.
• Alert on multiple parallel uploads from sensitive folders.
• Limit user access to invoices, contracts, PDFs, and finance folders.
• Segment network shares that contain high-value business documents.
• Keep endpoint protection and EDR agents updated.
• Test whether security tools can detect BYOVD behavior.
• Maintain offline backups and rehearse recovery procedures.

Why this matters for ransomware defense

The Trigona activity shows that some ransomware affiliates are willing to invest in their own tooling instead of relying only on public software. That makes detection harder and gives attackers more flexibility during data theft.

It also shows why ransomware defense cannot focus only on encryption. By the time ransomware appears on the screen, attackers may have already copied the files they need for extortion.

Organizations should treat pre-ransomware activity as the main battleground. Remote access abuse, credential theft, driver-level evasion, and outbound data movement all need strong monitoring before encryption begins.

FAQ