Trigona is a ransomware family and ransomware-as-a-service (RaaS) operation first observed in 2022, with public branding appearing in late October 2022. It has both Windows and Linux variants with similar functionality and uses double-extortion tactics, combining file encryption with data theft and operation of a Tor-based negotiation and leak site. The operation has been linked by Symantec to a cybercrime group it tracks as Rhantus. Trigona typically seeks payment in Monero.
On Windows, Trigona encrypts files and appends the ._locked extension, drops ransom notes such as how_to_decrypt.hta or how_to_restore_files.hta, and can establish persistence via a Run registry key. Reported capabilities include encrypting local and network files, partial or full-file encryption, filename encryption, embedding victim/campaign metadata in encrypted files, deleting shadow copies and backups, disabling recovery options, evasion via registry changes, and destructive options such as file erasure and free-space wiping. Analysis of a Windows sample described it as a Delphi PE32 console application that decrypts embedded configuration data and supports numerous command-line options.
On Linux, Trigona samples observed in the wild as late as April 2025 support configurable encryption behavior and target paths, including /vmfs/ by default in one analyzed sample. Reported options include /chattr-i, /delete, /fast, /full, and /allow_system. The Linux variant can handle file immutability via chattr, kill tasks and services, execute configured commands, optionally self-delete, and disrupt VMware ESXi environments by enumerating and powering off virtual machines using vim-cmd before encryption.
Observed intrusion vectors and deployment methods include exploitation of publicly exposed RDP hosts using valid accounts, and attacks against internet-exposed MS-SQL servers with weak credentials using brute-force or dictionary attacks. In one DFIR case, attackers used exposed RDP access, BAT scripts, account creation, privilege escalation, discovery tooling, lateral movement over RDP/SMB, exfiltration with rclone to Mega.io, and then deployed Trigona. Separate reporting states Trigona was deployed on compromised MS-SQL servers and that attackers abused Microsoft BCP to deploy payloads; one report also notes use of a Rust-based scanner in MS-SQL-focused attacks.
Recent Trigona affiliate activity in March 2026 showed a shift from public exfiltration tools such as Rclone or MegaSync to a custom command-line exfiltration utility, uploader_client.exe. Reported features include connection to an attacker-controlled hardcoded server, five parallel connections per file by default, TCP connection rotation after 2,048 MB, selective file-type exclusion, and shared-key authentication. In observed cases, attackers targeted high-value documents such as invoices and PDFs on network drives. Associated tooling in these intrusions included HRSword, PCHunter, GMER, YDark, WKTools, DumpGuard, StpProcessMonitorByovd, PowerRun, AnyDesk, Mimikatz, and Nirsoft password recovery utilities, including use of vulnerable kernel drivers to disable security products.
Known indicators and artifacts directly mentioned in the content include the ._locked extension; ransom note filenames how_to_decrypt.hta and how_to_restore_files.hta; the custom exfiltration tool uploader_client.exe; exfiltration server 163.172.105.82:1080; SHA-256 hashes 396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc (uploader_client.exe), 6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc (HRSword), 6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b (Mimikatz), b066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9 (PowerRun), f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb (WKTools), and c08a752138a6f0b332dfec981f20ec414ad367b7384389e0c59466b8e10655ec (Linux Trigona sample from April 2025).
Trigona infrastructure was reportedly compromised and wiped by the Ukrainian Cyber Alliance in October 2023 after exploitation of CVE-2023-22515 on a Confluence server, with claims that source code, databases, backups, and possibly decryption keys were stolen. Despite that disruption, multiple sources in the content indicate Trigona continued operating or resurfaced afterward.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Exploitation of a critical Confluence Data Center and Server vulnerability, tracked as CVE-2023-22515, enabled UCA hacktivists to infiltrate Trigona's ransomware infrastructure last week without being detected by the ransomware group.
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Trigona ransomware was first observed in June 2022. It has Windows and Linux versions, which are similar in their functionality. On underground forums, threat actors announced the start of the affiliate program, meaning that Trigona operates as ransomware as a service.
Trigona ransomware now uses a custom command-line tool to steal data faster and evade detection, replacing tools like Rclone and MegaSync.
In January 2024, the group first made its mark by deploying Trigona and Mimic ransomware on MS-SQL servers exposed to the internet with weak credentials.
18 distinct techniques documented for this family, organized by ATT&CK tactic.
The output code shows that the malware is able to issue Virtual Infrastructure Management commands to a VMWare ESXi server. It lists all VMs, and then kills them all. ... command = "vim-cmd vmsvc/getallvms"; ... snprintf(poweroff_cmd, sizeof(poweroff_cmd), "vim-cmd vmsvc/power.off %s", vmid); ret = shellExecute(poweroff_cmd, &command, true);
“Trigona… change in tactics designed to hide its identity… ransom notes avoid mentioning [their leak site]… point to leak sites belonging to other ransomware groups…”
/* * The /delete option enables deletion mode in the program. * When this flag is set, instead of just scanning or analyzing files, * the program will actually remove files that match certain criteria. * ... */ bool process_command_options(const char* option) { ... if (strcmp(option, "/delete") == 0) { ... *g_deletion_enabled = true;
While many ransomware groups rely on off-the-shelf utilities such as Rclone or MegaSync to steal victim data, recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process.
Since early 2023, AvNeutralizer has been used in numerous intrusions, including with the subsequent deployment of well-known ransomware strains such as AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.
// Power off ESXi VMs if needed if (targetPath == "/vmfs/" && doPowerOff) { ... stopVM(); } ... The output code shows that the malware is able to issue Virtual Infrastructure Management commands to a VMWare ESXi server. It lists all VMs, and then kills them all. | // Kill processes if not disabled if (getTaskKillerEnabled() && !disableKillFlag) { killTasksAndServices(); }
// Shutdown system if requested if (shutdownAfterFlag) { reboot(0x4321FEDC); // Special reboot code }
// Perform encryption or erasing priorityEncryptionOrErasing(); writeToLog("Start process..."); // Process target path String normalizedPath = osConvertSlashToBackslash(targetPath); if (fileExists(normalizedPath)) { encryptOrEraseFileByPath(targetPath, false); } else { encryptOrEraseFolderByPath(targetPath, false); }
57 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware-as-a-service operation active since late 2022, linked in the content to the Rhantus cybercrime group. Recent attacks used a custom-built exfiltration utility (uploader_client.exe) to steal sensitive data more efficiently and evade detection, alongside credential theft and security-disabling tools.
Ransomware-as-a-service malware that targets Windows and Linux systems, encrypts files with the ._locked extension, and uses double-extortion tactics including data exfiltration prior to encryption.
A ransomware family operating as a Ransomware-as-a-Service platform. In the described campaign, affiliates used a custom exfiltration utility to steal targeted financial and document data prior to ransomware activity.
A ransomware family operated as a Ransomware-as-a-Service platform. In the described March 2026 attacks, Trigona affiliates used a custom exfiltration utility to steal targeted documents before encryption, alongside defense-evasion and credential-theft tooling.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.