Breaking
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately
Latest Threat Intel Zero-Days Data Breaches Analysis
Live threat feed May 19, 2026 | 06:17 UTC
4048 CVEs This Month
6 Actively Exploited
2 Ransomware Activity
18 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Threat Intelligence

New TrickMo Android Banking Trojan Variant Employs TON Network for Command-and-Control

Thirumala Rao Padilam Thirumala Rao Padilam May 12, 2026
New TrickMo Android Banking Trojan Variant Employs TON Network for Command-and-Control

Cybersecurity researchers have identified a new version of the TrickMo Android banking trojan that leverages The Open Network (TON) blockchain for its command-and-control infrastructure. Active since early 2026, this variant targets banking and cryptocurrency wallet users primarily in France, Italy, and Austria.

What happened

Researchers at ThreatFabric observed a new TrickMo variant between January and February 2026 that integrates The Open Network (TON) as its command-and-control (C2) channel. This change reflects an evolution in the malware's infrastructure, potentially enhancing its stealth and resilience. The trojan targets users of banking applications and cryptocurrency wallets in multiple European countries, including France, Italy, and Austria.

The malware operates by loading an APK runtime module (dex.module) dynamically, which facilitates its malicious activities, including network pivoting through SOCKS5 proxies. This technique allows the attackers to relay traffic and potentially evade traditional detection mechanisms.

Why it matters

The use of The Open Network for C2 operations marks a significant development in Android banking malware, illustrating how threat actors adopt blockchain technologies to increase their operational security. By leveraging TON, the adversaries may obscure network traffic and communication paths, complicating detection and takedown efforts by defenders.

Additionally, targeting users in key European markets with a focus on both banking and cryptocurrency wallets underlines the persistent threat posed by TrickMo to financial sector customers. Its ability to perform network pivoting enhances the attackers’ capability to move laterally once inside compromised devices, escalating potential risks.

What security teams should do

Security teams should monitor for indicators of TrickMo infection, especially on devices in France, Italy, and Austria where activity has been detected. Reviewing network logs for unusual SOCKS5 proxy usage or communications involving The Open Network could help identify compromised endpoints.

Given the runtime loading of modules, defenders should verify the integrity of installed applications and scan for unauthorized APK components. Implementing updated mobile security solutions capable of detecting dynamic module loading and anomalous network behaviors may improve detection and response efforts.

Key technical details

The TrickMo variant utilizes a runtime-loaded APK module referred to as a dex.module, facilitating its operations post-infection. This modular approach allows it to execute payloads dynamically without embedding them directly in the initial application.

Command-and-control communications have shifted to use The Open Network (TON), a blockchain platform, enhancing the malware's communication stealth. The trojan also employs SOCKS5 proxies to create network pivots, enabling it to relay traffic through infected devices and potentially bypass conventional network security measures.

Affected organizations/products

This variant targets Android users of banking applications and cryptocurrency wallets primarily in France, Italy, and Austria. The scope includes individuals and possibly organizations relying on these platforms within these countries.

Source attribution

https://thehackernews.com/2026/05/new-trickmo-variant-uses-ton-c2-and.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!