Trigona ransomware now uses a custom command-line tool to steal data faster and evade detection, replacing tools like Rclone and MegaSync.Symantec researchers report that recent Trigona ransomware attacks used a custom-built data exfiltration tool instead of common utilities like Rclone or MegaSync. This shift, seen in March 2026 incidents, gives attackers more control and helps them evade detection, as standard tools are often flagged by security systems. Researchers believe this move shows a growing investment in proprietary malware to stay stealthy. “The attacks, which occurred in March 2026, mark a significant shift in tactics for Trigona affiliates. The motivation for moving away from publicly available tools remains unknown.” reads the report published by Symantec. “Many publicly available tools are now so well known that they may be flagged by security solutions.”Trigona, active since late 2022, operates as a Ransomware-as-a-Service linked to the Rhantus cybercrime group.Trigona attackers use a custom tool, uploader_client.exe, to steal data efficiently. It connects to an attacker-controlled server and appears privately developed. The tool speeds up exfiltration with multiple parallel connections and rotates connections to avoid detection.“The tool defaults to five parallel connections per file, allowing for rapid data transfer that can saturate available bandwidth.” continues the report. “It can rotate the TCP connection after a specific volume of data (defaulting to 2,048 MB) has been sent. This technique is likely intended to evade network traffic monitoring that triggers on long-lived, high-volume connections to a single IP address.” It can filter out large, low-value files and focus on sensitive data like documents. It also uses an authentication key to secure access to stolen data. In one case, it targeted invoices and high-value PDFs on network drives.Before deploying the custom uploader, attackers disable security tools using multiple utilities, including HRSword, PCHunter, and GMER, often abusing vulnerable kernel drivers to kill protections. PowerRun helps execute them with elevated privileges. They access systems remotely via AnyDesk and steal credentials using tools like Mimikatz and Nirsoft password recovery utilities, targeting apps and browsers.“The use of custom tooling in the ransomware landscape is a double-edged sword for attackers.” concludes the report. “While it requires development resources and time, these tools can provide a level of stealth that generic tools cannot match, at least until they’re discovered”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Trigona ransomware)