Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

Symantec-tracked Trigona ransomware affiliates (Rhantus) conducted March 2026 intrusions using a custom exfiltration tool (uploader_client.exe) that implements parallel streams, connection rotation, granular filtering, and shared authentication; attackers preceded exfiltration by disabling endpoint protections via kernel-level tools/driver exploits, used AnyDesk for remote access, and harvested credentials with Mimikatz, with numerous file-hash IOCs and an identified C2 IP (163.172.105.82).