Rhantus is a cybercrime group that Symantec tracks as the operator behind the Trigona ransomware-as-a-service (RaaS) operation, which first appeared in late 2022. The provided content links Rhantus to Trigona and describes affiliate activity observed in March 2026 showing a shift from public exfiltration tools such as Rclone and MegaSync to a custom command-line data theft utility, uploader_client.exe. Symantec assessed this proprietary tooling was intended to improve stealth and operational control. The uploader communicated with a hardcoded attacker-controlled server, used five parallel connections per file by default, rotated TCP connections after 2,048 MB, supported exclusion of lower-value media files, and in one observed case targeted invoices and high-value PDF documents on network drives. The intrusion tradecraft described for Trigona-linked activity included disabling security tools using HRSword and other BYOVD-style utilities including PCHunter, GMER, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd; executing tools with elevated privileges via PowerRun; remote access through AnyDesk; and credential theft using Mimikatz and Nirsoft password recovery utilities targeting browser and application credentials. The content does not identify Rhantus as a nation-state actor. No additional aliases or sub-groups are directly supported beyond the name Rhantus and its operation of Trigona.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
13 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
43 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cybercrime group explicitly linked in the content to the Trigona ransomware operation.
Named as the cybercrime group managing the Trigona RaaS operation.
Operates the Trigona ransomware as a RaaS operation and, in March 2026 attacks, used a custom-developed data exfiltration tool along with defense impairment, remote access, and credential theft tooling.
A cybercrime group identified by Symantec as the operator behind the Trigona ransomware-as-a-service operation.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.