Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently. The utility was emplayed in attacks in March that were attributed to a gang affiliate, likely in an effort to avoid publicly available tools, such as Rclone and MegaSync, that typically trigger security solutions. Researchers at cybersecurity company Symantec believe that the shift to a custom tool may indicate that the attacker is "investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks." In a report today, the researchers say that the tool is named “uploader_client.exe” and connects to a hardcoded server address. Its performance and evasion capabilities include: In one incident, the exfiltration tool was used to steal high-value documents such as invoices and PDFs on network drives. Trigona ransomware was launched in October 2022 as a double-extortion operation that demanded its victims to pay ransoms in the Monero cryptocurrency. Although Ukrainian cyber activists disrupted the Trigona operation in October 2023, hacking its servers and stealing internal data such as source code and database records, Symantec’s report suggests that the threat actors resumed operations. According to Symantec’s observations of recent Trigona attacks, threat actor installs the Huorong Network Security Suite tool HRSword as a kernel driver service.