Emerging ThreatsMalware & Ransomware

TrickMo Trojan Adopts TON Blockchain for Evasive C2 Routing

Analyst 207||Source: InfoSecMag
Smartphone on cluttered cafe table with blurred screen and cityscape background.
Tracked between January and February 2026, a new TrickMo variant reroutes its command-and-control traffic into The Open Network (TON) blockchain overlay, researchers say.

TrickMo C variant and its targets

ThreatFabric's Mobile Threat Intelligence Team identified the new variant as TrickMo C and tracked active campaigns across France, Italy and Austria. The operators used TikTok-themed lures distributed via Facebook ads to reach banking and wallet users, and telemetry showed TrickMo C progressively replacing the previous variant across operator campaigns.

TrickMo is a device‑takeover Android trojan that abuses the platform's accessibility service to grant operators a real‑time interactive view of an infected handset. The capabilities ThreatFabric documented include credential phishing via WebView overlays, keylogging, screen streaming, full bidirectional remote control and silent suppression of one‑time‑password (OTP) notifications.

TON-based decentralized C2 transport

The single largest change in TrickMo C is the network transport. ThreatFabric reported the host APK launches an embedded native TON proxy on a loopback port at process start and routes the bot's HTTP client through that proxy. As a result, every C2 request is addressed to an .adnl hostname and resolved inside the TON overlay rather than through public DNS.

A handful of clearnet lookups the bot still performs are routed through a public DNS‑over‑HTTPS endpoint, which ThreatFabric noted prevents those queries from reaching the device's local resolver. At the network edge, TrickMo C traffic will therefore look indistinguishable from any other TON‑enabled application's output.

ThreatFabric emphasized that The Open Network is a legitimate decentralized platform originally built for Telegram, and that TON's involvement in these incidents reflects third‑party abuse rather than any participation by the TON project itself.

Programmable network pivots and tunneling

Beyond changing transport, TrickMo C introduces a network‑operative subsystem that converts infected handsets into programmable pivots.

  • ThreatFabric reported five operator primitives — curl, dnslookup, ping, telnet and traceroute — that run from the device's vantage point, effectively providing a shell‑equivalent for reconnaissance inside any corporate or home network the handset is attached to.
  • A second set of commands implements socket‑level tunneling through an embedded SSH client and an on‑device SOCKS5 proxy secured with username and password authentication.

Chained together, these features create an authenticated, programmable network exit on the victim device whose outbound traffic appears to originate from the victim's IP address. ThreatFabric said this defeats IP‑based fraud detection mechanisms by making attacker traffic inherit the compromised device's network identity.

Reserved capabilities and future runtime delivery

ThreatFabric observed that TrickMo C declares full NFC permissions and bundles the Pine hooking framework, although neither capability is exercised in the current build. The researchers assessed both as reserved capabilities provisioned in the host for runtime delivery later — a design choice that could enable functional expansion without revising the initial APK distribution.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: The migration of C2 into a decentralized overlay and use of an embedded proxy mean traditional domain takedown tactics and local DNS monitoring will be less effective; defenders will need to consider network‑level signals that distinguish TON application traffic tied to mobile endpoints from legitimate uses.
  • Affected enterprises and procurement leaders: Devices belonging to employees can be used as authenticated exit points into corporate networks; procurement and endpoint policies should account for risks from mobile device compromise and for the possibility of attackers performing internal reconnaissance from authorized IP addresses.
  • End users and the general public: The combination of accessibility abuse, overlay C2, and tunneling means a single compromised handset can expose credentials, streaming screens, OTPs and local network reachability — users should be cautious about installing apps from untrusted sources and about interacting with ads and lures that promise quick financial rewards.

ThreatFabric's analysis documents a compact but potent evolution: by moving C2 into TON and equipping infected phones with reconnaissance and tunneling primitives, operators have made both detection and mitigation more complicated while preserving the trojan's existing device‑control capabilities. The choice to reserve NFC and hooking frameworks for later delivery also signals an intent to expand functionality without changing distribution vectors — a pattern that will merit close attention from defenders and operators of decentralized overlays alike.

Source: Infosecurity Magazine — TrickMo Variant Routes Android Trojan Traffic Through TON

Emerging ThreatsFranceItalyBanking MalwareAndroid MalwareAustriaTON BlockchainTrickmo TrojanMobile ThreatsEvasive C2 Routing
Related Intelligence

Continue Reading

Government building exterior with laptops and diverse people, hinting at global connectivity.

SharkLoader Malware Targets Global Entities in StrikeShark Cyberattacks

Kaspersky has uncovered a massive global cyberattack campaign, dubbed StrikeShark, that uses SharkLoader malware to target a wide range of organizations across multiple countries and industries. The attacks have hit diplomatic and government bodies, software development companies, and other entities in over a dozen countries.

Analyst 207
Passport lies on a plain surface surrounded by blurred cannabis dispensary items, hinting at a security breach.

Massive Passport Leak Exposes Sensitive Traveler Data

A staggering leak of almost a million passport records from around the world has put sensitive traveler data at risk. The breach, linked to a low-security ID verification system for cannabis dispensaries, exposed passports as a vulnerable weak point in authentication processes.

Analyst 207
Employee looks concerned at laptop screen displaying OpenAI invitation email.

Threat Actors Exploit OpenAI Invitations to Target Cybersecurity Firms

Threat actors are cleverly exploiting OpenAI invitations to scam cybersecurity firms, creating fake tenants that mimic legitimate companies and sending convincing emails that pass authentication checks. These targeted phishing attacks allow scammers to spread malicious content through a trusted channel.

Analyst 207
Brightly-lit office with rows of computer servers and a large screen displaying a blurred image.

Hackers Inject Malicious Script in Polymarket Supply-Chain Attack

Polymarket has pledged to fully reimburse customers who lost around $3 million in a shocking supply-chain attack that injected malicious JavaScript into the platform's frontend via a third-party vendor breach. The incident highlights the vulnerability of even major players to these types of attacks.

Analyst 207