ctipilot.ch

TrickMo "TrickMo C" — Android banking trojan migrated C2 to The Open Network blockchain, adds SOCKS5/SSH device-as-pivot; FR/IT/AT campaigns

tool · tool:TrickMo-C-2026

Coverage timeline
1
first 2026-05-13 → last 2026-05-13
Briefs
1
1 distinct
Sources cited
3
3 hosts
Sections touched
1
research
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-13CTI Daily Brief — 2026-05-13
    researchNew ThreatFabric research 2026-05-11; TON .adnl C2 defeats DNS-based blocklisting; banking-trojan with device pivoting.

Where this entity is cited

  • research1

Source distribution

  • securityaffairs.com1 (33%)
  • thehackernews.com1 (33%)
  • threatfabric.com1 (33%)

Related entities

All cited sources (3)

Items in briefs about TrickMo "TrickMo C" — Android banking trojan migrated C2 to The Open Network blockchain, adds SOCKS5/SSH device-as-pivot; FR/IT/AT campaigns (1)

TrickMo "TrickMo C" — Android banking trojan migrates C2 to The Open Network blockchain, adds SOCKS5 / SSH device-as-pivot

From CTI Daily Brief — 2026-05-13 · published 2026-05-13 · view item permalink →

ThreatFabric's 2026-05-11 research identifies a substantially redesigned TrickMo variant active across January–February 2026 in campaigns against banking and fintech users in France, Italy and Austria (ThreatFabric, 2026-05-11; The Hacker News, 2026-05-12; Security Affairs, 2026-05-12). The C2 architecture has migrated off conventional DNS / IP infrastructure: the host APK embeds a native TON (The Open Network) proxy that starts on a loopback port at process launch, and all C2 HTTP requests address .adnl hostnames resolved inside the TON decentralised overlay. That design defeats traditional domain-takedown and DNS-based blocklisting — operator endpoints exist as TON identities inside a permissionless overlay rather than at a controllable DNS or IP. Beyond the banking-trojan core (accessibility-service device takeover, fake overlay login pages, SMS / OTP interception, mapped to T1517 Access Notifications), TrickMo C adds a network-reconnaissance subsystem via five operator commands (curl, dnslookup, ping, telnet, traceroute) and an SSH tunnel + authenticated SOCKS5 proxy — turning infected Android devices into programmable network pivots so operators can route abuse traffic from the victim's IP space and defeat IP-reputation fraud detection on banking and crypto-exchange platforms. Mapped to T1090.001 Proxy: Internal Proxy for the SOCKS5 mode. Droppers masquerade as TikTok variants distributed via Facebook ads; the final payload impersonates Google Play Services. Dormant code includes the Pine hooking framework and NFC permissions, suggesting contactless-payment interception is in development.

Defender takeaway: The relevant change for an EU defender is the C2 transport: blocking TON traffic at the corporate gateway is non-trivial because TON shares the standard internet routes; behaviour-side, detect Android devices that initiate the TON loopback proxy and that issue outbound to non-corporate SOCKS5 / SSH ports under unusual entitlements. Public-sector implication: government-issued Android or BYOD devices that access banking, tax, or e-government services should be scoped under MDM policies that block sideloaded APKs from social-media link-outs and forbid sideloaded TikTok-look-alikes. Mapped to T1422 System Network Configuration Discovery and T1437.001 Application Layer Protocol: Web Protocols.