What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Ransomware

0 sources verified·3 min read

By Lyrie Threat Intelligence·5/1/2026

Trigona Ransomware Escalates to Custom Exfiltration Malware: The Shift from Public Tools to Proprietary Weapons

TL;DR

Trigona ransomware gang is deploying a custom-built exfiltration tool called "uploader_client.exe" in recent attacks, replacing publicly-available tools like Rclone and MegaSync. The tool includes parallel uploads, traffic rotation to evade detection, and selective file filtering—indicating the group is investing in proprietary malware to lower their operational profile and avoid EDR triggers.

What Happened

Symantec researchers have documented a significant tactical shift in Trigona ransomware operations. Recent attacks in March 2026 show the gang has moved away from commodity data-theft utilities (Rclone, MegaSync) toward a custom, command-line exfiltration tool named uploader_client.exe. This tool connects to hardcoded C2 servers and was designed to speed up data theft while avoiding security detection.

According to Symantec's threat intelligence report (released May 1, 2026), the tool was deployed by Trigona affiliates likely to reduce their forensic footprint—a sign that the group is maturing operationally and learning from detection evasion failures in public-tool usage.

Technical Details

The uploader_client.exe utility demonstrates several sophisticated evasion and efficiency features:

Data Exfiltration Capabilities

5 concurrent connections per file — enables parallel uploads for faster data theft
TCP connection rotation every 2GB — resets connections to evade traffic-based monitoring and detection
Selective file-type filtering — allows operators to exclude low-value media files and focus on high-value documents (invoices, PDFs, spreadsheets)
Authentication key enforcement — restricts stolen data access to authorized parties, preventing unintended exposure or secondary theft

Attack Chain Context

The Trigona kill chain includes:

1. Privilege escalation via vulnerable kernel drivers — deployment of Huorong Network Security Suite (HRSword) as a kernel service

2. EDR/security product disabling — PowerRun-elevated execution of tools like PCHunter, Gmer, YDark, WKTools to terminate endpoint protection

3. Lateral movement & credential theft — AnyDesk for remote access; Mimikatz and Nirsoft utilities for password recovery

4. Custom exfiltration — uploader_client.exe for high-speed, low-profile data theft

Lyrie Assessment

This development signals three critical shifts in the ransomware threat landscape:

1. Operational Maturity Through Evasion

Trigona's move to custom tooling shows the gang is learning from detection failures. Public tools like Rclone trigger YARA rules and behavioral detection across enterprise stacks. By investing engineering effort into proprietary malware, Trigona is raising their sophistication bar—and their cost of entry—while reducing the likelihood of early detection.

2. The Professionalization of Double-Extortion Attacks

The parallel-upload architecture (5 concurrent streams with 2GB rotation) is optimized for speed and stealth. In ransomware-as-a-service (RaaS) operations, faster exfiltration = faster ransom demands = lower investigation windows for defenders. This is a textbook sign of a cartel-grade operation, not amateur hour.

3. Ecosystem Resilience Signal

Trigona resumed operations after being disrupted by Ukrainian cyber activists in October 2023 (who wiped their servers). The fact that they're back—and investing in R&D—shows that ransomware operations survive law enforcement disruption through operational redundancy and affiliate networks. Your incident response teams should assume Trigona and its variants will persist as a long-term threat.

Recommended Actions

For Lyrie.ai customers and CISOs, prioritize:

1. Network detection rules — flag any process execution of exfiltration tools with high-speed data transfers (especially 5+ simultaneous connections). Add uploader_client.exe and variants to IOC watchlists immediately.

2. EDR hardening — ensure kernel driver verification and driver block lists are deployed across your fleet. Many Trigona techniques rely on vulnerable drivers (HRSword, etc.). Block known dangerous signed drivers via Device Guard/Hypervisor Code Integrity.

3. TCP monitoring — flag connection resets every 2GB on outbound channels. This rotation behavior is anomalous for legitimate traffic and specific to Trigona's exfiltration pattern.

4. Privilege-escalation monitoring — PowerRun and other UAC-bypass tools are increasingly used in ransomware attacks. Monitor for unsigned/suspicious elevation requests and PowerRun execution.

5. Credential hygiene enforcement — Trigona deploys Mimikatz post-compromise. Enforce MFA, PAM, and credential isolation (LSASS protection, LSA SSO hardening).

6. Breach assumption testing — if you have Windows-based file servers or document repositories, assume Trigona (or similar groups) will target them. Run tabletop exercises on what "selective PDF/invoice exfiltration" means for your IP/financials.

Sources

1. Symantec Threat Intelligence Report, "Trigona Affiliates Deploy Custom Exfiltration Tool," May 1, 2026 (https://www.security.com/threat-intelligence/trigona-exfiltration-custom)

2. PRSOL:CC Security News, "Trigona ransomware attacks use custom exfiltration tool to steal data," May 1, 2026 (https://www.prsol.cc/2026/05/01/trigona-ransomware-attacks-use-custom-exfiltration-tool-to-steal-data/)

3. CloudVirtues Community, "Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft," April 30–May 1, 2026 (https://cloudvirtues.wordpress.com/2026/04/30/trigona-affiliates-deploy-custom-exfiltration-2/)

Lyrie.ai Cyber Research Division