Trigona ransomware has upgraded its tactics by deploying a custom-built command-line tool to exfiltrate data, abandoning the use of common utilities like Rclone and MegaSync. This shift, observed in March 2026 incidents, allows attackers to maintain greater control over the exfiltration process and evade detection by security systems that often flag standard tools1. By using a custom tool, Trigona ransomware operators can reduce the risk of being detected, making it more challenging for security teams to identify and respond to attacks. The adoption of proprietary malware tools demonstrates a significant investment in staying stealthy and avoiding detection. This development matters to security practitioners because it highlights the evolving nature of ransomware attacks, which now prioritize evasion and stealth over relying on readily available tools, making it essential to stay vigilant and adapt defense strategies accordingly.
Trigona ransomware adopts custom tool to steal data and evade detection
⚡ High Priority
Why This Matters
This shift, seen in March 2026 incidents, gives attackers more control and helps them evade detection, as standard tools are often flagged by security systems.
References
- SecurityAffairs. (2026, April 26). Trigona ransomware adopts custom tool to steal data and evade detection. SecurityAffairs. https://securityaffairs.com/191294/cyber-crime/trigona-ransomware-adopts-custom-tool-to-steal-data-and-evade-detection.html
Original Source
SecurityAffairs
Read original →