{"id":12365,"date":"2026-04-24T10:03:53","date_gmt":"2026-04-24T10:03:53","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/24\/ransomware-hackers-develop-custom-exfiltration-tool-to-steal-sensitive-data\/"},"modified":"2026-04-24T10:03:53","modified_gmt":"2026-04-24T10:03:53","slug":"ransomware-hackers-develop-custom-exfiltration-tool-to-steal-sensitive-data","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/24\/ransomware-hackers-develop-custom-exfiltration-tool-to-steal-sensitive-data\/","title":{"rendered":"Ransomware Hackers Develop Custom Exfiltration Tool to Steal Sensitive Data"},"content":{"rendered":"<p>    Ransomware Hackers Develop Custom Exfiltration Tool to Steal Sensitive Data<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Ransomware attackers are no longer relying only on widely known tools to steal data. Affiliates linked to the Trigona ransomware group have taken a more calculated approach by building their own custom data exfiltration tool, one that gives them greater precision, speed, and control over the data theft process.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9bc98fe7-c618-4ae0-a9f6-898e7911c37a\/Ransomware-Hackers-Develop-Custom-Exfiltration-Tool-to-Steal-Sensitive-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEYUDQZZJG&amp;Signature=uTpgpwZCoCPi2GKePSgofewtDjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIFmVMosV557gI1pxNE4or58xsXFRhDyRbtC0LSXAnHQNAiBppL0p8yYy7EUGFBtpCC9yeKI5C9%2FBxx5sSfCfhlWM7SrzBAh4EAEaDDY5OTc1MzMwOTcwNSIMLjjuDytlz7BYgeFEKtAE6xY3yOs8Q14mIged7FL9Kd3fWgetnG9z%2BciVCo7WbKqpcVRHbTY8MBW9cXkujNEeuLSOPYh2MsC31lkrf1lTG3AiMcc1t%2BI%2BJ%2FH9R2iOuRMs0Kz1E8jdQVRtScpm5BpLgkHrl3zvg9QMv%2FrmkFO%2FD%2FAN7TGJcyZQ6BY%2BeO5Qks9GIZePzaUO9KCgc7%2BdzxaUPVPgPhZf2b08VA%2FWZDwlmTa2F3kZdeN64J3Cp51BKXvu1nTSBAdFTpag03Rg%2BbReiAgzkQ7o6dLr9Ib%2F9kNryqrJW8Zm2LJuC0hcNgDh3Y%2FwqeoHwOmN09J66feGJdYs6rz1YpZuVHnOJLhPDNtAd04HERVus6rJIhBBKmbOm9OGzUzYAabkm1UxOVwnUPNxqIoRyjyN3TF2OLq5U%2FqEuRJtUh9hGVep3kCaT%2FDM9dFWzVuijKkasvRkIrpQ3jGGfErF%2FJ3CwDQ2JZOdrYZzkSZnarKvyJWUcTkOpcumDQVMdXMr9a8z7UnZ9sYfXnBbgJ%2FLge60AfXGivc8hzoZJWqbNIGSK%2FTwJBBzywhgGNm%2BgnRJFBOF%2FSRpnyPWfIy16z%2BJV%2B4ydpupf%2FVqqLws7WseD8WmKqTrwAMRnZIl0BVeONpd73JAomLlL3ASt7bmtJ7OJVqUmfKp6uiF1UHPmy3ZO5%2BYyaGNJ%2BfqPz62OxqSI2xS%2F8iCT91Qti5kUyaR1l27Jjxifldlaj%2FnLT8qN1w%2BQh89P6q%2FKX3cFFjiWz00poOVHOCVtIpG1GMDI0Ne5d8NgikcUblvj1u6CUJFaDDMpazPBjqZAThnLxDupEJzOxkQxn2OfBOf%2B0hFrGFUsWkl2WrqYy1Aii0rDlvQ4129hKDm8aYLEhM%2BRCaRYG15eBa0zpfyAkuzWTjNAiFahqdz1ShlFa89UssBdd33RWaW29vOELKiCLhirgAUwRfyq1iFnuh2ktQoAj2F%2F8mEZg%2FO58b2Vrb3KC0AokdCmtobzRs3k%2F5dRknjBNbAzV2YXQ%3D%3D&amp;Expires=1777016333\"><\/a><\/p>\n<p>The Trigona ransomware first surfaced in late 2022 and operates under a Ransomware-as-a-Service (RaaS) model, managed by a cybercrime group known as Rhantus. <\/p>\n<p>For years, many ransomware groups depended on publicly available utilities such as Rclone or MegaSync to move stolen data. Those tools, while effective, have become widely recognized by security vendors, making them easier to detect. <\/p>\n<p>The shift toward a purpose-built tool signals that the attackers are growing more technically capable and more deliberate in how they conduct their operations.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9bc98fe7-c618-4ae0-a9f6-898e7911c37a\/Ransomware-Hackers-Develop-Custom-Exfiltration-Tool-to-Steal-Sensitive-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEYUDQZZJG&amp;Signature=uTpgpwZCoCPi2GKePSgofewtDjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIFmVMosV557gI1pxNE4or58xsXFRhDyRbtC0LSXAnHQNAiBppL0p8yYy7EUGFBtpCC9yeKI5C9%2FBxx5sSfCfhlWM7SrzBAh4EAEaDDY5OTc1MzMwOTcwNSIMLjjuDytlz7BYgeFEKtAE6xY3yOs8Q14mIged7FL9Kd3fWgetnG9z%2BciVCo7WbKqpcVRHbTY8MBW9cXkujNEeuLSOPYh2MsC31lkrf1lTG3AiMcc1t%2BI%2BJ%2FH9R2iOuRMs0Kz1E8jdQVRtScpm5BpLgkHrl3zvg9QMv%2FrmkFO%2FD%2FAN7TGJcyZQ6BY%2BeO5Qks9GIZePzaUO9KCgc7%2BdzxaUPVPgPhZf2b08VA%2FWZDwlmTa2F3kZdeN64J3Cp51BKXvu1nTSBAdFTpag03Rg%2BbReiAgzkQ7o6dLr9Ib%2F9kNryqrJW8Zm2LJuC0hcNgDh3Y%2FwqeoHwOmN09J66feGJdYs6rz1YpZuVHnOJLhPDNtAd04HERVus6rJIhBBKmbOm9OGzUzYAabkm1UxOVwnUPNxqIoRyjyN3TF2OLq5U%2FqEuRJtUh9hGVep3kCaT%2FDM9dFWzVuijKkasvRkIrpQ3jGGfErF%2FJ3CwDQ2JZOdrYZzkSZnarKvyJWUcTkOpcumDQVMdXMr9a8z7UnZ9sYfXnBbgJ%2FLge60AfXGivc8hzoZJWqbNIGSK%2FTwJBBzywhgGNm%2BgnRJFBOF%2FSRpnyPWfIy16z%2BJV%2B4ydpupf%2FVqqLws7WseD8WmKqTrwAMRnZIl0BVeONpd73JAomLlL3ASt7bmtJ7OJVqUmfKp6uiF1UHPmy3ZO5%2BYyaGNJ%2BfqPz62OxqSI2xS%2F8iCT91Qti5kUyaR1l27Jjxifldlaj%2FnLT8qN1w%2BQh89P6q%2FKX3cFFjiWz00poOVHOCVtIpG1GMDI0Ne5d8NgikcUblvj1u6CUJFaDDMpazPBjqZAThnLxDupEJzOxkQxn2OfBOf%2B0hFrGFUsWkl2WrqYy1Aii0rDlvQ4129hKDm8aYLEhM%2BRCaRYG15eBa0zpfyAkuzWTjNAiFahqdz1ShlFa89UssBdd33RWaW29vOELKiCLhirgAUwRfyq1iFnuh2ktQoAj2F%2F8mEZg%2FO58b2Vrb3KC0AokdCmtobzRs3k%2F5dRknjBNbAzV2YXQ%3D%3D&amp;Expires=1777016333\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/www.security.com\/threat-intelligence\/trigona-exfiltration-custom\" id=\"https:\/\/www.security.com\/threat-intelligence\/trigona-exfiltration-custom\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Symantec\u2019s Threat Hunter Team identified the attacks<\/a> in March 2026 and noted that this change in tactics represents a meaningful development in the Trigona group\u2019s behavior. <\/p>\n<p>The researchers observed that the attackers appear to be investing significant time and resources into developing proprietary malware, likely to maintain a lower profile during the most sensitive phase of their attack: stealing the data. <\/p>\n<p>This kind of technical investment is relatively rare among ransomware affiliates, most of whom prefer the speed and convenience of off-the-shelf solutions.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9bc98fe7-c618-4ae0-a9f6-898e7911c37a\/Ransomware-Hackers-Develop-Custom-Exfiltration-Tool-to-Steal-Sensitive-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEYUDQZZJG&amp;Signature=uTpgpwZCoCPi2GKePSgofewtDjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIFmVMosV557gI1pxNE4or58xsXFRhDyRbtC0LSXAnHQNAiBppL0p8yYy7EUGFBtpCC9yeKI5C9%2FBxx5sSfCfhlWM7SrzBAh4EAEaDDY5OTc1MzMwOTcwNSIMLjjuDytlz7BYgeFEKtAE6xY3yOs8Q14mIged7FL9Kd3fWgetnG9z%2BciVCo7WbKqpcVRHbTY8MBW9cXkujNEeuLSOPYh2MsC31lkrf1lTG3AiMcc1t%2BI%2BJ%2FH9R2iOuRMs0Kz1E8jdQVRtScpm5BpLgkHrl3zvg9QMv%2FrmkFO%2FD%2FAN7TGJcyZQ6BY%2BeO5Qks9GIZePzaUO9KCgc7%2BdzxaUPVPgPhZf2b08VA%2FWZDwlmTa2F3kZdeN64J3Cp51BKXvu1nTSBAdFTpag03Rg%2BbReiAgzkQ7o6dLr9Ib%2F9kNryqrJW8Zm2LJuC0hcNgDh3Y%2FwqeoHwOmN09J66feGJdYs6rz1YpZuVHnOJLhPDNtAd04HERVus6rJIhBBKmbOm9OGzUzYAabkm1UxOVwnUPNxqIoRyjyN3TF2OLq5U%2FqEuRJtUh9hGVep3kCaT%2FDM9dFWzVuijKkasvRkIrpQ3jGGfErF%2FJ3CwDQ2JZOdrYZzkSZnarKvyJWUcTkOpcumDQVMdXMr9a8z7UnZ9sYfXnBbgJ%2FLge60AfXGivc8hzoZJWqbNIGSK%2FTwJBBzywhgGNm%2BgnRJFBOF%2FSRpnyPWfIy16z%2BJV%2B4ydpupf%2FVqqLws7WseD8WmKqTrwAMRnZIl0BVeONpd73JAomLlL3ASt7bmtJ7OJVqUmfKp6uiF1UHPmy3ZO5%2BYyaGNJ%2BfqPz62OxqSI2xS%2F8iCT91Qti5kUyaR1l27Jjxifldlaj%2FnLT8qN1w%2BQh89P6q%2FKX3cFFjiWz00poOVHOCVtIpG1GMDI0Ne5d8NgikcUblvj1u6CUJFaDDMpazPBjqZAThnLxDupEJzOxkQxn2OfBOf%2B0hFrGFUsWkl2WrqYy1Aii0rDlvQ4129hKDm8aYLEhM%2BRCaRYG15eBa0zpfyAkuzWTjNAiFahqdz1ShlFa89UssBdd33RWaW29vOELKiCLhirgAUwRfyq1iFnuh2ktQoAj2F%2F8mEZg%2FO58b2Vrb3KC0AokdCmtobzRs3k%2F5dRknjBNbAzV2YXQ%3D%3D&amp;Expires=1777016333\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The custom tool, named \u201cuploader_client.exe,\u201d is a command-line utility that connects to a hardcoded attacker-controlled server. <\/p>\n<p>In one confirmed incident, the tool was used to target folders holding financial invoices and high-value PDF documents stored on networked drives. <\/p>\n<p>This level of targeting shows that the group knows exactly what kind of data carries the most value and is building tools specifically around extracting it.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9bc98fe7-c618-4ae0-a9f6-898e7911c37a\/Ransomware-Hackers-Develop-Custom-Exfiltration-Tool-to-Steal-Sensitive-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEYUDQZZJG&amp;Signature=uTpgpwZCoCPi2GKePSgofewtDjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIFmVMosV557gI1pxNE4or58xsXFRhDyRbtC0LSXAnHQNAiBppL0p8yYy7EUGFBtpCC9yeKI5C9%2FBxx5sSfCfhlWM7SrzBAh4EAEaDDY5OTc1MzMwOTcwNSIMLjjuDytlz7BYgeFEKtAE6xY3yOs8Q14mIged7FL9Kd3fWgetnG9z%2BciVCo7WbKqpcVRHbTY8MBW9cXkujNEeuLSOPYh2MsC31lkrf1lTG3AiMcc1t%2BI%2BJ%2FH9R2iOuRMs0Kz1E8jdQVRtScpm5BpLgkHrl3zvg9QMv%2FrmkFO%2FD%2FAN7TGJcyZQ6BY%2BeO5Qks9GIZePzaUO9KCgc7%2BdzxaUPVPgPhZf2b08VA%2FWZDwlmTa2F3kZdeN64J3Cp51BKXvu1nTSBAdFTpag03Rg%2BbReiAgzkQ7o6dLr9Ib%2F9kNryqrJW8Zm2LJuC0hcNgDh3Y%2FwqeoHwOmN09J66feGJdYs6rz1YpZuVHnOJLhPDNtAd04HERVus6rJIhBBKmbOm9OGzUzYAabkm1UxOVwnUPNxqIoRyjyN3TF2OLq5U%2FqEuRJtUh9hGVep3kCaT%2FDM9dFWzVuijKkasvRkIrpQ3jGGfErF%2FJ3CwDQ2JZOdrYZzkSZnarKvyJWUcTkOpcumDQVMdXMr9a8z7UnZ9sYfXnBbgJ%2FLge60AfXGivc8hzoZJWqbNIGSK%2FTwJBBzywhgGNm%2BgnRJFBOF%2FSRpnyPWfIy16z%2BJV%2B4ydpupf%2FVqqLws7WseD8WmKqTrwAMRnZIl0BVeONpd73JAomLlL3ASt7bmtJ7OJVqUmfKp6uiF1UHPmy3ZO5%2BYyaGNJ%2BfqPz62OxqSI2xS%2F8iCT91Qti5kUyaR1l27Jjxifldlaj%2FnLT8qN1w%2BQh89P6q%2FKX3cFFjiWz00poOVHOCVtIpG1GMDI0Ne5d8NgikcUblvj1u6CUJFaDDMpazPBjqZAThnLxDupEJzOxkQxn2OfBOf%2B0hFrGFUsWkl2WrqYy1Aii0rDlvQ4129hKDm8aYLEhM%2BRCaRYG15eBa0zpfyAkuzWTjNAiFahqdz1ShlFa89UssBdd33RWaW29vOELKiCLhirgAUwRfyq1iFnuh2ktQoAj2F%2F8mEZg%2FO58b2Vrb3KC0AokdCmtobzRs3k%2F5dRknjBNbAzV2YXQ%3D%3D&amp;Expires=1777016333\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The broader impact of this development goes beyond a single ransomware campaign. It shows that some threat actors are willing to invest in research and development, treating cybercrime operations with the same structure and discipline as a <a href=\"https:\/\/cybersecuritynews.com\/threat-actors-exploiting-legitimate-software\/\" id=\"78092\" target=\"_blank\" rel=\"noreferrer noopener\">legitimate software<\/a> project. <\/p>\n<p>Organizations across industries that handle sensitive financial records or confidential documents are at heightened risk as these tools grow more sophisticated and harder to detect.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9bc98fe7-c618-4ae0-a9f6-898e7911c37a\/Ransomware-Hackers-Develop-Custom-Exfiltration-Tool-to-Steal-Sensitive-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEYUDQZZJG&amp;Signature=uTpgpwZCoCPi2GKePSgofewtDjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIFmVMosV557gI1pxNE4or58xsXFRhDyRbtC0LSXAnHQNAiBppL0p8yYy7EUGFBtpCC9yeKI5C9%2FBxx5sSfCfhlWM7SrzBAh4EAEaDDY5OTc1MzMwOTcwNSIMLjjuDytlz7BYgeFEKtAE6xY3yOs8Q14mIged7FL9Kd3fWgetnG9z%2BciVCo7WbKqpcVRHbTY8MBW9cXkujNEeuLSOPYh2MsC31lkrf1lTG3AiMcc1t%2BI%2BJ%2FH9R2iOuRMs0Kz1E8jdQVRtScpm5BpLgkHrl3zvg9QMv%2FrmkFO%2FD%2FAN7TGJcyZQ6BY%2BeO5Qks9GIZePzaUO9KCgc7%2BdzxaUPVPgPhZf2b08VA%2FWZDwlmTa2F3kZdeN64J3Cp51BKXvu1nTSBAdFTpag03Rg%2BbReiAgzkQ7o6dLr9Ib%2F9kNryqrJW8Zm2LJuC0hcNgDh3Y%2FwqeoHwOmN09J66feGJdYs6rz1YpZuVHnOJLhPDNtAd04HERVus6rJIhBBKmbOm9OGzUzYAabkm1UxOVwnUPNxqIoRyjyN3TF2OLq5U%2FqEuRJtUh9hGVep3kCaT%2FDM9dFWzVuijKkasvRkIrpQ3jGGfErF%2FJ3CwDQ2JZOdrYZzkSZnarKvyJWUcTkOpcumDQVMdXMr9a8z7UnZ9sYfXnBbgJ%2FLge60AfXGivc8hzoZJWqbNIGSK%2FTwJBBzywhgGNm%2BgnRJFBOF%2FSRpnyPWfIy16z%2BJV%2B4ydpupf%2FVqqLws7WseD8WmKqTrwAMRnZIl0BVeONpd73JAomLlL3ASt7bmtJ7OJVqUmfKp6uiF1UHPmy3ZO5%2BYyaGNJ%2BfqPz62OxqSI2xS%2F8iCT91Qti5kUyaR1l27Jjxifldlaj%2FnLT8qN1w%2BQh89P6q%2FKX3cFFjiWz00poOVHOCVtIpG1GMDI0Ne5d8NgikcUblvj1u6CUJFaDDMpazPBjqZAThnLxDupEJzOxkQxn2OfBOf%2B0hFrGFUsWkl2WrqYy1Aii0rDlvQ4129hKDm8aYLEhM%2BRCaRYG15eBa0zpfyAkuzWTjNAiFahqdz1ShlFa89UssBdd33RWaW29vOELKiCLhirgAUwRfyq1iFnuh2ktQoAj2F%2F8mEZg%2FO58b2Vrb3KC0AokdCmtobzRs3k%2F5dRknjBNbAzV2YXQ%3D%3D&amp;Expires=1777016333\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"defense-evasion-and-pre-attack-setup\"><strong>Defense Evasion and Pre-Attack Setup<\/strong><\/h2>\n<p>Before deploying the custom uploader, the attackers took deliberate steps to strip away the target\u2019s defenses. <\/p>\n<p>They installed HRSword, a kernel driver component of the Huorong <a href=\"https:\/\/cybersecuritynews.com\/network-security-solutions\/\" id=\"13494\" target=\"_blank\" rel=\"noreferrer noopener\">Network Security<\/a> Suite, and repurposed it as a tool to disable security software on the victim\u2019s machine. <\/p>\n<p>Alongside HRSword, several other tools were deployed, including PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitor BYOVD. <\/p>\n<p>Many of these tools exploit vulnerable kernel drivers to terminate endpoint protection processes, bypassing standard user-mode defenses by operating at the deepest level of the operating system.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9bc98fe7-c618-4ae0-a9f6-898e7911c37a\/Ransomware-Hackers-Develop-Custom-Exfiltration-Tool-to-Steal-Sensitive-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEYUDQZZJG&amp;Signature=uTpgpwZCoCPi2GKePSgofewtDjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIFmVMosV557gI1pxNE4or58xsXFRhDyRbtC0LSXAnHQNAiBppL0p8yYy7EUGFBtpCC9yeKI5C9%2FBxx5sSfCfhlWM7SrzBAh4EAEaDDY5OTc1MzMwOTcwNSIMLjjuDytlz7BYgeFEKtAE6xY3yOs8Q14mIged7FL9Kd3fWgetnG9z%2BciVCo7WbKqpcVRHbTY8MBW9cXkujNEeuLSOPYh2MsC31lkrf1lTG3AiMcc1t%2BI%2BJ%2FH9R2iOuRMs0Kz1E8jdQVRtScpm5BpLgkHrl3zvg9QMv%2FrmkFO%2FD%2FAN7TGJcyZQ6BY%2BeO5Qks9GIZePzaUO9KCgc7%2BdzxaUPVPgPhZf2b08VA%2FWZDwlmTa2F3kZdeN64J3Cp51BKXvu1nTSBAdFTpag03Rg%2BbReiAgzkQ7o6dLr9Ib%2F9kNryqrJW8Zm2LJuC0hcNgDh3Y%2FwqeoHwOmN09J66feGJdYs6rz1YpZuVHnOJLhPDNtAd04HERVus6rJIhBBKmbOm9OGzUzYAabkm1UxOVwnUPNxqIoRyjyN3TF2OLq5U%2FqEuRJtUh9hGVep3kCaT%2FDM9dFWzVuijKkasvRkIrpQ3jGGfErF%2FJ3CwDQ2JZOdrYZzkSZnarKvyJWUcTkOpcumDQVMdXMr9a8z7UnZ9sYfXnBbgJ%2FLge60AfXGivc8hzoZJWqbNIGSK%2FTwJBBzywhgGNm%2BgnRJFBOF%2FSRpnyPWfIy16z%2BJV%2B4ydpupf%2FVqqLws7WseD8WmKqTrwAMRnZIl0BVeONpd73JAomLlL3ASt7bmtJ7OJVqUmfKp6uiF1UHPmy3ZO5%2BYyaGNJ%2BfqPz62OxqSI2xS%2F8iCT91Qti5kUyaR1l27Jjxifldlaj%2FnLT8qN1w%2BQh89P6q%2FKX3cFFjiWz00poOVHOCVtIpG1GMDI0Ne5d8NgikcUblvj1u6CUJFaDDMpazPBjqZAThnLxDupEJzOxkQxn2OfBOf%2B0hFrGFUsWkl2WrqYy1Aii0rDlvQ4129hKDm8aYLEhM%2BRCaRYG15eBa0zpfyAkuzWTjNAiFahqdz1ShlFa89UssBdd33RWaW29vOELKiCLhirgAUwRfyq1iFnuh2ktQoAj2F%2F8mEZg%2FO58b2Vrb3KC0AokdCmtobzRs3k%2F5dRknjBNbAzV2YXQ%3D%3D&amp;Expires=1777016333\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Remote access to infected machines was established through AnyDesk, a legitimate remote desktop application. <\/p>\n<p>To further their foothold, the attackers used Mimikatz and a collection of Nirsoft password recovery utilities to harvest credentials stored in browsers and applications. <\/p>\n<p>PowerRun was used to execute several of these tools with elevated system privileges, giving the attackers administrative-level access throughout the attack chain.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9bc98fe7-c618-4ae0-a9f6-898e7911c37a\/Ransomware-Hackers-Develop-Custom-Exfiltration-Tool-to-Steal-Sensitive-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEYUDQZZJG&amp;Signature=uTpgpwZCoCPi2GKePSgofewtDjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIFmVMosV557gI1pxNE4or58xsXFRhDyRbtC0LSXAnHQNAiBppL0p8yYy7EUGFBtpCC9yeKI5C9%2FBxx5sSfCfhlWM7SrzBAh4EAEaDDY5OTc1MzMwOTcwNSIMLjjuDytlz7BYgeFEKtAE6xY3yOs8Q14mIged7FL9Kd3fWgetnG9z%2BciVCo7WbKqpcVRHbTY8MBW9cXkujNEeuLSOPYh2MsC31lkrf1lTG3AiMcc1t%2BI%2BJ%2FH9R2iOuRMs0Kz1E8jdQVRtScpm5BpLgkHrl3zvg9QMv%2FrmkFO%2FD%2FAN7TGJcyZQ6BY%2BeO5Qks9GIZePzaUO9KCgc7%2BdzxaUPVPgPhZf2b08VA%2FWZDwlmTa2F3kZdeN64J3Cp51BKXvu1nTSBAdFTpag03Rg%2BbReiAgzkQ7o6dLr9Ib%2F9kNryqrJW8Zm2LJuC0hcNgDh3Y%2FwqeoHwOmN09J66feGJdYs6rz1YpZuVHnOJLhPDNtAd04HERVus6rJIhBBKmbOm9OGzUzYAabkm1UxOVwnUPNxqIoRyjyN3TF2OLq5U%2FqEuRJtUh9hGVep3kCaT%2FDM9dFWzVuijKkasvRkIrpQ3jGGfErF%2FJ3CwDQ2JZOdrYZzkSZnarKvyJWUcTkOpcumDQVMdXMr9a8z7UnZ9sYfXnBbgJ%2FLge60AfXGivc8hzoZJWqbNIGSK%2FTwJBBzywhgGNm%2BgnRJFBOF%2FSRpnyPWfIy16z%2BJV%2B4ydpupf%2FVqqLws7WseD8WmKqTrwAMRnZIl0BVeONpd73JAomLlL3ASt7bmtJ7OJVqUmfKp6uiF1UHPmy3ZO5%2BYyaGNJ%2BfqPz62OxqSI2xS%2F8iCT91Qti5kUyaR1l27Jjxifldlaj%2FnLT8qN1w%2BQh89P6q%2FKX3cFFjiWz00poOVHOCVtIpG1GMDI0Ne5d8NgikcUblvj1u6CUJFaDDMpazPBjqZAThnLxDupEJzOxkQxn2OfBOf%2B0hFrGFUsWkl2WrqYy1Aii0rDlvQ4129hKDm8aYLEhM%2BRCaRYG15eBa0zpfyAkuzWTjNAiFahqdz1ShlFa89UssBdd33RWaW29vOELKiCLhirgAUwRfyq1iFnuh2ktQoAj2F%2F8mEZg%2FO58b2Vrb3KC0AokdCmtobzRs3k%2F5dRknjBNbAzV2YXQ%3D%3D&amp;Expires=1777016333\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The uploader_client.exe tool itself is engineered for both speed and stealth. It defaults to five parallel connections per file to maximize transfer speed, rotates TCP connections after every 2,048 MB of data to avoid triggering <a href=\"https:\/\/cybersecuritynews.com\/network-monitoring-tools\/\" id=\"20062\" target=\"_blank\" rel=\"noreferrer noopener\">network monitoring<\/a> systems, and uses an \u201c\u2013exclude-ext\u201d flag to skip low-priority media files like videos and audio, focusing only on high-value documents. <\/p>\n<p>A shared authentication key also prevents unauthorized parties from accessing the stolen data once it reaches the attacker\u2019s server.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/9bc98fe7-c618-4ae0-a9f6-898e7911c37a\/Ransomware-Hackers-Develop-Custom-Exfiltration-Tool-to-Steal-Sensitive-Data.pdf?AWSAccessKeyId=ASIA2F3EMEYEYUDQZZJG&amp;Signature=uTpgpwZCoCPi2GKePSgofewtDjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEK%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIFmVMosV557gI1pxNE4or58xsXFRhDyRbtC0LSXAnHQNAiBppL0p8yYy7EUGFBtpCC9yeKI5C9%2FBxx5sSfCfhlWM7SrzBAh4EAEaDDY5OTc1MzMwOTcwNSIMLjjuDytlz7BYgeFEKtAE6xY3yOs8Q14mIged7FL9Kd3fWgetnG9z%2BciVCo7WbKqpcVRHbTY8MBW9cXkujNEeuLSOPYh2MsC31lkrf1lTG3AiMcc1t%2BI%2BJ%2FH9R2iOuRMs0Kz1E8jdQVRtScpm5BpLgkHrl3zvg9QMv%2FrmkFO%2FD%2FAN7TGJcyZQ6BY%2BeO5Qks9GIZePzaUO9KCgc7%2BdzxaUPVPgPhZf2b08VA%2FWZDwlmTa2F3kZdeN64J3Cp51BKXvu1nTSBAdFTpag03Rg%2BbReiAgzkQ7o6dLr9Ib%2F9kNryqrJW8Zm2LJuC0hcNgDh3Y%2FwqeoHwOmN09J66feGJdYs6rz1YpZuVHnOJLhPDNtAd04HERVus6rJIhBBKmbOm9OGzUzYAabkm1UxOVwnUPNxqIoRyjyN3TF2OLq5U%2FqEuRJtUh9hGVep3kCaT%2FDM9dFWzVuijKkasvRkIrpQ3jGGfErF%2FJ3CwDQ2JZOdrYZzkSZnarKvyJWUcTkOpcumDQVMdXMr9a8z7UnZ9sYfXnBbgJ%2FLge60AfXGivc8hzoZJWqbNIGSK%2FTwJBBzywhgGNm%2BgnRJFBOF%2FSRpnyPWfIy16z%2BJV%2B4ydpupf%2FVqqLws7WseD8WmKqTrwAMRnZIl0BVeONpd73JAomLlL3ASt7bmtJ7OJVqUmfKp6uiF1UHPmy3ZO5%2BYyaGNJ%2BfqPz62OxqSI2xS%2F8iCT91Qti5kUyaR1l27Jjxifldlaj%2FnLT8qN1w%2BQh89P6q%2FKX3cFFjiWz00poOVHOCVtIpG1GMDI0Ne5d8NgikcUblvj1u6CUJFaDDMpazPBjqZAThnLxDupEJzOxkQxn2OfBOf%2B0hFrGFUsWkl2WrqYy1Aii0rDlvQ4129hKDm8aYLEhM%2BRCaRYG15eBa0zpfyAkuzWTjNAiFahqdz1ShlFa89UssBdd33RWaW29vOELKiCLhirgAUwRfyq1iFnuh2ktQoAj2F%2F8mEZg%2FO58b2Vrb3KC0AokdCmtobzRs3k%2F5dRknjBNbAzV2YXQ%3D%3D&amp;Expires=1777016333\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Organizations are strongly advised to monitor for unauthorized use of remote access tools like AnyDesk in their environments. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/tycoon-2fa-phishing-kit-employs-new-evasion-techniques\/\" id=\"99610\" target=\"_blank\" rel=\"noreferrer noopener\">Endpoint detection systems<\/a> should be configured to flag kernel-level driver activity from tools such as PCHunter or Gmer. <\/p>\n<p>Keeping endpoint protection software current is essential, and network traffic monitoring should be set to detect unusual high-volume or rapidly rotating outbound connections. <\/p>\n<p>Reviewing and restricting access to sensitive document folders on networked drives can also reduce the risk of targeted exfiltration attempts.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 92%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/ransomware-hackers-develop-custom-exfiltration\/\">Ransomware Hackers Develop Custom Exfiltration Tool to Steal Sensitive Data<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/ransomware-hackers-develop-custom-exfiltration\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware Hackers Develop Custom Exfiltration Tool to Steal Sensitive Data Ransomware attackers are no longer relying only on widely known tools to steal data. Affiliates linked to the Trigona ransomware group have taken a more calculated approach by building their own custom data exfiltration tool, one that gives them greater precision, speed, and control over [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12365","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12365"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12365"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12365\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}