Pulse Detail — Threat Intelligence

PULSE NAME

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

WHITE Trigona AlienVault 2026-05-01 Modified: 2026-05-04

IOCs

HIGH VOLUME

Trigona ransomware affiliates deployed a custom exfiltration tool called uploader_client.exe during attacks in March 2026, marking a tactical shift from relying on off-the-shelf utilities like Rclone. The tool features parallel streams with five default connections, connection rotation after 2,048 MB transfers to evade network monitoring, and granular filtering to exclude low-value files. Prior to exfiltration, attackers disabled security defenses using kernel-level tools including HRSword, PCHunter, Gmer, YDark, and WKTools with vulnerable drivers. Remote access was established via AnyDesk, while credentials were harvested using Mimikatz and Nirsoft utilities. The custom tooling demonstrates higher technical maturity compared to typical ransomware operations, providing enhanced stealth capabilities while requiring greater development resources. Targeted data included invoices and high-value PDF documents from networked drives.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1021.005 T1543.003 T1071 T1005 T1140 T1218 T1562.002 T1555.003 T1003.001 T1048 T1562.001 T1039 T1078 T1068 T1027 T1486 T1573 T1555.004 T1021.001 T1569.002

MALWARE FAMILIES

Trigona uploader_client.exe HRSword PCHunter Volgmer - S0180 YDark WKTools DumpGuard StpProcessMonitorByovd PowerRun Mimikatz AnyDesk MalExtractor ParsVbs StartBat GoGra

Indicators of Compromise (76)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	23516ea1f2cc771f705807c2fc7d163e	—	2026-05-01
FileHash-MD5	44bd492dfb54107ebfe063fcbfbddff5	—	2026-05-01
FileHash-MD5	58bb9dab4e9b3aa2fd1e7a7b17d2eeb1	—	2026-05-01
FileHash-MD5	716c04b0eaa8106b542d4041ad065ef5	—	2026-05-01
FileHash-MD5	957f2d9e3370212548a57020233e6ba7	—	2026-05-01
FileHash-MD5	97e045bc056b5f68f18ea4fbbb9cc64a	—	2026-05-01
FileHash-MD5	987b65cd9b9f4e9a1afd8f8b48cf64a7	—	2026-05-01
FileHash-MD5	9b1ae658c91d5883d7743130c6ca0523	—	2026-05-01
FileHash-MD5	ab06eeb603656d3943cd30396f82a45f	—	2026-05-01
FileHash-MD5	b9b514e817a9e1cc2e86e3c00b555873	—	2026-05-01
FileHash-MD5	c48b572a659a1ade4190421ab2280d87	—	2026-05-01
FileHash-MD5	d28f0cfae377553fcb85918c29f4889b	—	2026-05-01
FileHash-MD5	d611f824074a57e7fd1d08341edeb559	—	2026-05-01
FileHash-MD5	dc6252f2be3256e4202e46e6ffd4383b	—	2026-05-01
FileHash-MD5	df218168bf83d26386dfd4ece7aef2d0	—	2026-05-01
FileHash-MD5	e9dc058440d321aa17d0600b3ca0ab04	—	2026-05-01
FileHash-MD5	fad7bc52b93328305f4bd52fe1ca498a	—	2026-05-01
FileHash-SHA1	1a12519bdeb372e8b1836d78ec61617bbac166aa	—	2026-05-01
FileHash-SHA1	1ca08190c945786c974156f75262d4fd55a868b0	—	2026-05-01
FileHash-SHA1	239e671ea09e4c5154ffb3ed2a78aac1139ed3ef	—	2026-05-01
FileHash-SHA1	32e24780735a0148c3cc4ce7dda30ed9365397a9	—	2026-05-01
FileHash-SHA1	397a5701384f1ec1ded95f71dc69c0903935a9ad	—	2026-05-01
FileHash-SHA1	4a3418d78d8fe36b39d1ee5435796369b88a8762	—	2026-05-01
FileHash-SHA1	539c228b6b332f5aa523e5ce358c16647d8bbe57	—	2026-05-01
FileHash-SHA1	5d275449228e6464410aaefc58d7f3732e279fad	—	2026-05-01
FileHash-SHA1	5f1cbc3d99558307bc1250d084fa968521482025	—	2026-05-01
FileHash-SHA1	8729815f87f4186fd46d52418c1b7ae2a54aebcf	—	2026-05-01
FileHash-SHA1	92862afc2fb4c2e5d624d7e1b1ee2d9f0692b6f6	—	2026-05-01
FileHash-SHA1	99c4401366ad7e561ce3ac8e5bb9a7a8144aa3ea	—	2026-05-01
FileHash-SHA1	9f7835b3cdc7cbc641904b1923d7de4a72b3c437	—	2026-05-01
FileHash-SHA1	b67a2f9d9de2135617caea8d4a7488e2a962e3e2	—	2026-05-01
FileHash-SHA1	e43d7a6ad722d285813afb9eefe53d264af6948b	—	2026-05-01
FileHash-SHA1	e61f7aca50ca1eb9857dadec2f601a113ade907c	—	2026-05-01
FileHash-SHA1	ea5cd55a44b8be532af602002f498717fc192818	—	2026-05-01
FileHash-SHA256	0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac	—	2026-05-01
FileHash-SHA256	0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068	—	2026-05-01
FileHash-SHA256	1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5	—	2026-05-01
FileHash-SHA256	1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd	—	2026-05-01
FileHash-SHA256	205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964	—	2026-05-01
FileHash-SHA256	207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9	—	2026-05-01
FileHash-SHA256	274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf	—	2026-05-01
FileHash-SHA256	2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32	—	2026-05-01
FileHash-SHA256	35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f671	—	2026-05-01
FileHash-SHA256	396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc	—	2026-05-01
FileHash-SHA256	48f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765	—	2026-05-01
FileHash-SHA256	49a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be	—	2026-05-01
FileHash-SHA256	4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0	—	2026-05-01
FileHash-SHA256	4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b5	—	2026-05-01
FileHash-SHA256	598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a	—	2026-05-01
FileHash-SHA256	5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd	—	2026-05-01
FileHash-SHA256	647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fc	—	2026-05-01
FileHash-SHA256	6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b	—	2026-05-01
FileHash-SHA256	6bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb	—	2026-05-01
FileHash-SHA256	6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a	—	2026-05-01
FileHash-SHA256	6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc	—	2026-05-01
FileHash-SHA256	72fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d	—	2026-05-01
FileHash-SHA256	73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d7	—	2026-05-01
FileHash-SHA256	771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344e	—	2026-05-01
FileHash-SHA256	7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26	—	2026-05-01
FileHash-SHA256	816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019	—	2026-05-01
FileHash-SHA256	87bf4b152d9548f415f12f353f988b5442729e7f24e2902ddfd0baa4a944354a	—	2026-05-01
FileHash-SHA256	8a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b0	—	2026-05-01
FileHash-SHA256	99c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d1744189	—	2026-05-01
FileHash-SHA256	a18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb8	—	2026-05-01
FileHash-SHA256	b066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9	—	2026-05-01
FileHash-SHA256	b3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4	—	2026-05-01
FileHash-SHA256	c41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc	—	2026-05-01
FileHash-SHA256	c64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4	—	2026-05-01
FileHash-SHA256	c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4	—	2026-05-01
FileHash-SHA256	d4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff	—	2026-05-01
FileHash-SHA256	d833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888	—	2026-05-01
FileHash-SHA256	df5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c58809	—	2026-05-01
FileHash-SHA256	e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173	—	2026-05-01
FileHash-SHA256	eee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf	—	2026-05-01
FileHash-SHA256	f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb	—	2026-05-01
FileHash-SHA256	f5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c	—	2026-05-01

References (1)

↗ https://www.security.com/threat-intelligence/trigona-exfiltration-custom