CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TrickMo C Variant Adopts TON Blockchain for Decentralized C2 and Expands Network Pivot Capabilities

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new variant of the TrickMo Android banking trojan, identified as TrickMo C, has transitioned its command-and-control (C2) infrastructure to The Open Network (TON) Blockchain, utilizing .adnl identities to evade traditional domain-based takedowns. The variant, observed in campaigns between January and February 2026 targeting banking and wallet users in France, Italy, and Austria, leverages TikTok-themed lures distributed via Facebook ads. TrickMo C retains core device-takeover capabilities, including credential phishing, keylogging, screen streaming, OTP suppression, and real-time remote control, while introducing a decentralized C2 layer and programmable network pivot functionalities. The shift to TON Blockchain C2 makes endpoint disruption significantly harder, and infected devices can now be repurposed as authenticated network pivots for reconnaissance and tunneling.

Timeline

  1. 11.05.2026 18:15 1 articles · 3h ago

    TrickMo C Variant Adopts TON Blockchain C2 and Introduces Network Pivot Capabilities

    A new variant of the TrickMo Android banking trojan was observed in campaigns targeting European banking and wallet users between January and February 2026. The variant, designated TrickMo C, replaces traditional C2 domains with TON Blockchain .adnl identities, embedding a native TON proxy at launch to route all communications through the decentralized overlay. Infected devices are repurposed as programmable network pivots, supporting reconnaissance commands and authenticated tunneling via embedded SSH and SOCKS5 proxy, enabling traffic to masquerade as originating from the victim's IP.

    Show sources
    Open in new tab

Information Snippets

  • TrickMo C embeds a native TON proxy at launch, routing all C2 traffic through .adnl identities resolved within the TON Blockchain overlay, bypassing public DNS and traditional takedown mechanisms.

    First reported: 11.05.2026 18:15
    1 source, 1 article
    Show sources

  • The variant was identified in active campaigns against banking and wallet users in France, Italy, and Austria between January and February 2026, utilizing TikTok-themed lures disseminated via Facebook ads.

    First reported: 11.05.2026 18:15
    1 source, 1 article
    Show sources

  • TrickMo C retains core Android banking trojan capabilities, including credential phishing via WebView overlays, keylogging, screen streaming, OTP suppression, and real-time remote control via abused accessibility services.

    First reported: 11.05.2026 18:15
    1 source, 1 article
    Show sources

  • Infected devices can execute network reconnaissance commands (curl, dnslookup, ping, telnet, traceroute) and establish authenticated socket-level tunneling via embedded SSH and SOCKS5 proxy with username/password authentication.

    First reported: 11.05.2026 18:15
    1 source, 1 article
    Show sources

  • Traffic tunneled through infected devices appears to originate from the victim's IP, defeating IP-based fraud detection and potentially enabling lateral movement within corporate or home networks.

    First reported: 11.05.2026 18:15
    1 source, 1 article
    Show sources

  • TrickMo C declares full NFC permissions and bundles the Pine hooking framework, which are currently unused but assessed as reserved for future runtime delivery.

    First reported: 11.05.2026 18:15
    1 source, 1 article
    Show sources