Analysis of Trigona Threat Actor's Latest Attack Cases

Oct. 29, 2025, 6:32 p.m.

Description

The Trigona threat actor continues to target MS-SQL servers through brute-force and dictionary attacks, exploiting weak credentials. They use CLR Shell for additional payloads and employ various tools like BCP, Curl, Bitsadmin, and PowerShell to install malware. The attackers utilize remote control tools such as AnyDesk, RDP, and possibly Teramind. New scanner malware written in Rust targets RDP and MS-SQL services. The threat actor also uses tools like SpeedTest and a custom StressTester. Various privilege escalation and file manipulation tools are employed. To protect against these attacks, administrators should use complex passwords, regularly update security software, and implement firewalls to control access to database servers.

External References

https://asec.ahnlab.com/en/90793/
https://otx.alienvault.com/pulse/6901f17d5de87bf1b10b2e99
Tags
ransomware
trigona
remote-control
2025-10-29

Date

  • Created: Oct. 29, 2025, 10:50 a.m.
  • Published: Oct. 29, 2025, 10:50 a.m.
  • Modified: Oct. 29, 2025, 6:32 p.m.

Indicators

  • f9322aa6b0527098520f9a041c4f4b2be81e95e2739310baaab1926f4ef40d80
  • cdfbd285104f3b1f2d79f01643df734920129c7e4af6ed7e0cd7b845558ee218
  • 0cc363668c85f3ab916795839b94c328f612cefa820ce9ee7da18b9ac19389fe
  • 198.55.98.133
  • 179.43.159.186
Download all indicators here!

Attack Patterns

  • Mimic
  • Trigona
  • Trigona