{"id":235816,"date":"2026-04-26T05:37:00","date_gmt":"2026-04-26T09:37:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/26\/trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection\/"},"modified":"2026-04-26T08:00:13","modified_gmt":"2026-04-26T12:00:13","slug":"trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/26\/trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection\/","title":{"rendered":"Trigona ransomware adopts custom tool to steal data and evade detection"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/191294\/cyber-crime\/trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection.html?amp\">Trigona ransomware adopts custom tool to steal data and evade detection<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/191294\/cyber-crime\/trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection.html?amp\">https:\/\/securityaffairs.com\/191294\/cyber-crime\/trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection.html?amp<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-26 05:37:00<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p><h2>Trigona ransomware adopts custom tool to steal data and evade detection<\/h2>\n<\/p>\n<p>\t\t\t\t\t\t\t<span> Pierluigi Paganini<\/span><br \/>\n\t\t\t\t\t\t\t<span><img decoding=\"async\" src=\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\" alt=\"\"\/> April 26, 2026<\/span><\/p>\n<p>\t\t\t\t\t\t<img decoding=\"async\" class=\"img-fluid mb-4\" src=\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2015\/02\/Russian-hackers.png?fit=585%2C244&#038;ssl=1\" alt=\"\"\/><\/p>\n<h2 class=\"wp-block-heading\">Trigona ransomware now uses a custom command-line tool to steal data faster and evade detection, replacing tools like Rclone and MegaSync.<\/h2>\n<p>Symantec researchers report that recent Trigona ransomware attacks used a custom-built data exfiltration tool instead of common utilities like Rclone or MegaSync. This shift, seen in March 2026 incidents, gives attackers more control and helps them evade detection, as standard tools are often flagged by security systems. Researchers believe this move shows a growing investment in proprietary malware to stay stealthy. <\/p>\n<p>\u201cThe attacks, which occurred in March 2026, mark a significant shift in tactics for Trigona affiliates. The motivation for moving away from publicly available tools remains unknown.\u201d reads the <strong>report<\/strong> published by Symantec. \u201cMany publicly available tools are now so well known that they may be flagged by security solutions.\u201d<\/p>\n<p>Trigona, active since late 2022, operates as a Ransomware-as-a-Service linked to the Rhantus cybercrime group.<\/p>\n<p>Trigona attackers use a custom tool, uploader_client.exe, to steal data efficiently. It connects to an attacker-controlled server and appears privately developed. The tool speeds up exfiltration with multiple parallel connections and rotates connections to avoid detection.<\/p>\n<p>\u201cThe tool defaults to five parallel connections per file, allowing for rapid data transfer that can saturate available bandwidth.\u201d continues the report. \u201cIt can rotate the TCP connection after a specific volume of data (defaulting to 2,048 MB) has been sent. This technique is likely intended to evade network traffic monitoring that triggers on long-lived, high-volume connections to a single IP address.\u201d<\/p>\n<p> It can filter out large, low-value files and focus on sensitive data like documents. It also uses an&#8230;<\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/191294\/cyber-crime\/trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection.html?amp\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trigona ransomware adopts custom tool to steal data and evade detection https:\/\/securityaffairs.com\/191294\/cyber-crime\/trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection.html?amp Publish Date: 2026-04-26&#8230;<\/p>\n","protected":false},"author":1,"featured_media":235817,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2015\/02\/Russian-hackers.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32],"class_list":["post-235816","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235816"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=235816"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235816\/revisions"}],"predecessor-version":[{"id":235818,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235816\/revisions\/235818"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/235817"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=235816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=235816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=235816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}