CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TrickMo Android banker variant leverages TON blockchain for covert C2 operations

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new variant of the TrickMo Android banking trojan (codenamed Trickmo.C) has been observed in active campaigns across Europe, adopting The Open Network (TON) blockchain infrastructure for encrypted command-and-control communications. The malware masquerades as legitimate apps such as TikTok or streaming services and targets users in France, Italy, and Austria, focusing on banking credentials and cryptocurrency wallet access. TON’s decentralized peer-to-peer architecture, leveraging .ADNL addresses and local TON proxies, obscures operator infrastructure by routing traffic through an encrypted overlay network rather than traditional DNS-exposed servers, significantly complicating detection and takedown efforts by defenders.

Timeline

  1. 11.05.2026 12:03 1 articles · 1h ago

    TrickMo Android banker variant (Trickmo.C) integrates TON-based C2 and expands operational toolset

    A new TrickMo variant identified as Trickmo.C has been observed since January 2025 in campaigns targeting users in France, Italy, and Austria. The malware introduces TON-based C2 communication via .ADNL addresses and embedded local proxies, making operator infrastructure resistant to DNS-based disruption. Offensive capabilities have been expanded to include network reconnaissance and tunneling tools such as SSH, port forwarding, and SOCKS5 proxy support, alongside existing credential theft and surveillance functions.

    Show sources
    Open in new tab

Information Snippets

  • Trickmo.C is a newly identified variant of the TrickMo Android banking malware family, first detected in January 2025 by ThreatFabric researchers.

    First reported: 11.05.2026 12:03
    1 source, 1 article
    Show sources

  • The malware is distributed disguised as popular applications such as TikTok or streaming apps to evade suspicion during installation.

    First reported: 11.05.2026 12:03
    1 source, 1 article
    Show sources

  • Targeted regions include France, Italy, and Austria, with a focus on harvesting banking credentials and cryptocurrency wallet access.

    First reported: 11.05.2026 12:03
    1 source, 1 article
    Show sources

  • C2 communications now use The Open Network (TON) blockchain infrastructure via .ADNL addresses, routed through an embedded local TON proxy on infected devices.

    First reported: 11.05.2026 12:03
    1 source, 1 article
    Show sources

  • TON-based communications are encrypted and indistinguishable at the network edge from other legitimate TON-enabled applications, rendering traditional domain takedowns and traffic analysis ineffective.

    First reported: 11.05.2026 12:03
    1 source, 1 article
    Show sources

  • The malware employs a two-stage architecture: a loader APK for persistence and a runtime-downloaded module for offensive functionality including phishing overlays, keylogging, screen recording, SMS interception, OTP suppression, clipboard modification, and screenshot capture.

    First reported: 11.05.2026 12:03
    1 source, 1 article
    Show sources

  • New capabilities added in this variant include curl, DNS lookup, ping, telnet, traceroute, SSH tunneling, port forwarding (remote and local), and authenticated SOCKS5 proxy support.

    First reported: 11.05.2026 12:03
    1 source, 1 article
    Show sources

  • TrickMo includes extensive NFC permission declarations and telemetry suggesting NFC functionality, though no active NFC abuse has been observed in this variant.

    First reported: 11.05.2026 12:03
    1 source, 1 article
    Show sources