TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
Campaign
Summary
Hide ▲
Show ▼
The TrickMo operators ran an active TikTok-themed campaign between January and February 2026, targeting banking and wallet users in France, Italy and Austria. The lure chain used Facebook ads to broaden delivery across multiple European markets. The activity matters because the trojan supports credential phishing, OTP suppression, and remote control, increasing account-takeover risk.
Related Happenings
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware Activity
First: 12.05.2026 15:50
Last: 12.05.2026 15:50
Sources 1
How related:
"TrickMo relies on a runtime-loaded APK (dex.module), used also by the previous variant, but updated with new features adding new network-oriented functionality, including reconnaissance, SSH tunnelling, and SOCKS5 proxying capabilities that allow infected devices to function as programmable network pivots and traffic-exit nodes," the Dutch mobile security company said in a report shared with The Hacker News.
About this happening:
A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware ActivityHow related: "TrickMo relies on a runtime-loaded APK (dex.module), used also by the previous variant, but updated with new features adding new network-oriented functionality, including reconnaissance, SSH tunnelling, and SOCKS5 proxying capabilities that allow infected devices to function as programmable network pivots and traffic-exit nodes," the Dutch mobile security company said in a report shared with The Hacker News.
About this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware Activity
First: 11.05.2026 12:03
Last: 11.05.2026 12:03
Sources 1
How related:
A new variant of the TrickMo Android banking trojan has moved its primary command-and-control (C2) transport onto The Open Network (TON) Blockchain, routing communications through the decentralized overlay's .adnl identities to make traditional domain takedowns largely ineffective.
About this happening:
The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware ActivityHow related: A new variant of the TrickMo Android banking trojan has moved its primary command-and-control (C2) transport onto The Open Network (TON) Blockchain, routing communications through the decentralized overlay's .adnl identities to make traditional domain takedowns largely ineffective.
About this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
Campaign
First: 08.05.2026 18:08
Last: 08.05.2026 18:08
Sources 1
About this happening:
The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
CampaignAbout this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
Sqgame[.]net gaming platform hit by network compromise
Incident
First: 05.05.2026 18:00
Last: 05.05.2026 18:00
Sources 1
About this happening:
The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
Sqgame[.]net gaming platform hit by network compromise
IncidentAbout this happening: The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
ScarCruft sqgame[.]net supply-chain espionage campaign
Campaign
First: 05.05.2026 12:07
Last: 05.05.2026 12:07
Sources 1
About this happening:
**ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...
ScarCruft sqgame[.]net supply-chain espionage campaign
CampaignAbout this happening: **ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...
Timeline
-
11.05.2026 18:15 2 articles · 16d ago
ThreatFabric discloses TrickMo C campaign using TON Blockchain
Initial DisclosureThreatFabric disclosed TrickMo C, a TrickMo Android banking trojan variant active in January-February 2026 against banking and wallet users in France, Italy and Austria. The variant shifted primary C2 traffic onto The Open Network (TON) Blockchain with .adnl identities and an embedded native TON proxy, and operator campaigns used TikTok-themed lures delivered through Facebook ads. The malware also added programmable network pivot functions including curl, dnslookup, ping, telnet and traceroute, plus an SSH client and SOCKS5 proxy, to let infected handsets relay operator traffic from the victim's IP.
Show sources
- TrickMo Variant Routes Android Trojan Traffic Through TON — www.infosecurity-magazine.com — 11.05.2026 18:15
- New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots — thehackernews.com — 12.05.2026 15:50