TrickMo Android banking trojan variant with TON C2 and network pivots
Malware Activity
Summary
Hide ▲
Show ▼
A new TrickMo Android banking trojan variant now uses The Open Network (TON) for C2, turning infected phones into network pivots and traffic-exit nodes. It was observed between January and February 2026 while targeting banking and cryptocurrency wallet users in France, Italy, and Austria. The build adds reconnaissance, SSH tunnelling, and SOCKS5 proxying to extend the malware’s reach beyond credential theft. That shift makes compromised phones more useful for fraud evasion and network abuse.
Related Happenings
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
Campaign
First: 11.05.2026 18:15
Last: 11.05.2026 18:15
Sources 1
How related:
The latest versions, labeled TrickMo C, are distributed via phasing websites and dropper apps, the latter of which serve as a conduit for a dynamically loaded APK ("dex.module") that's retrieved at runtime from attacker-controlled infrastructure.
About this happening:
The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
CampaignHow related: The latest versions, labeled TrickMo C, are distributed via phasing websites and dropper apps, the latter of which serve as a conduit for a dynamically loaded APK ("dex.module") that's retrieved at runtime from attacker-controlled infrastructure.
About this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo Android banking malware adds TON-based covert command-and-control
Malware Activity
First: 11.05.2026 12:03
Last: 11.05.2026 12:03
Sources 1
About this happening:
The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware ActivityAbout this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
The Hacker News launches Cybersecurity Stars Awards 2026
Commercial Activity
First: 06.05.2026 15:03
Last: 06.05.2026 15:03
Sources 1
About this happening:
The Hacker News launched the **Cybersecurity Stars Awards 2026**, opening a **global recognition program** for cybersecurity vendors, products, companies, and professionals. The l...
The Hacker News launches Cybersecurity Stars Awards 2026
Commercial ActivityAbout this happening: The Hacker News launched the **Cybersecurity Stars Awards 2026**, opening a **global recognition program** for cybersecurity vendors, products, companies, and professionals. The l...
NGate malware trojanized HandyPay NFC-stealing variant
Malware Activity
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
NGate malware trojanized HandyPay NFC-stealing variant
Malware ActivityAbout this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
Red Menshen telecom espionage campaign
Campaign
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Red Menshen telecom espionage campaign
CampaignAbout this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Timeline
-
12.05.2026 15:50 2 articles · 15d ago
ThreatFabric discloses TrickMo TON-backed Android variant
Initial DisclosureThreatFabric disclosed a new TrickMo Android banking trojan variant observed between January and February 2026 that is targeting banking and cryptocurrency wallet users in France, Italy, and Austria. The malware uses The Open Network (TON) for command-and-control, relies on a runtime-loaded APK called dex.module, and adds reconnaissance, SSH tunnelling, and SOCKS5 proxying to turn infected devices into programmable network pivots and traffic-exit nodes.
Show sources
- New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots — thehackernews.com — 12.05.2026 15:50
- New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots — thehackernews.com — 12.05.2026 15:50