ctipilot.ch

TrickMo "TrickMo C"

tool · tool:trickmo-c-2026

TrickMo "TrickMo C" — Android banking trojan migrated C2 to The Open Network blockchain, adds SOCKS5/SSH device-as-pivot; FR/IT/AT campaigns

Coverage timeline
1
first 2026-05-13 → last 2026-05-13
Entries
1
1 distinct days
Sources cited
3
3 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-13TrickMo "TrickMo C" — Android banking trojan migrates C2 to The Open Network blockchain, adds SOCKS5 / SSH device-as-pivot
    researchTrickMo "TrickMo C" — Android banking trojan migrates C2 to The Open Network blockchain, adds SOCKS5 / SSH device-as-pivot

Where this entity is cited

  • research1

Source distribution

  • securityaffairs.com1 (33%)
  • thehackernews.com1 (33%)
  • threatfabric.com1 (33%)

Entries about TrickMo "TrickMo C" (1)

2026-05-13 · view entry permalink →

TrickMo "TrickMo C" — Android banking trojan migrates C2 to The Open Network blockchain, adds SOCKS5 / SSH device-as-pivot

notable research discovered 2026-05-13 05:00 UTC

ThreatFabric's 2026-05-11 research identifies a substantially redesigned TrickMo variant active across January–February 2026 in campaigns against banking and fintech users in France, Italy and Austria (ThreatFabric, 2026-05-11; The Hacker News, 2026-05-12; Security Affairs, 2026-05-12). The C2 architecture has migrated off conventional DNS / IP infrastructure: the host APK embeds a native TON (The Open Network) proxy that starts on a loopback port at process launch, and all C2 HTTP requests address .adnl hostnames resolved inside the TON decentralised overlay. That design defeats traditional domain-takedown and DNS-based blocklisting — operator endpoints exist as TON identities inside a permissionless overlay rather than at a controllable DNS or IP. Beyond the banking-trojan core (accessibility-service device takeover, fake overlay login pages, SMS / OTP interception, mapped to T1517 Access Notifications), TrickMo C adds a network-reconnaissance subsystem via five operator commands (curl, dnslookup, ping, telnet, traceroute) and an SSH tunnel + authenticated SOCKS5 proxy — turning infected Android devices into programmable network pivots so operators can route abuse traffic from the victim's IP space and defeat IP-reputation fraud detection on banking and crypto-exchange platforms. Mapped to T1090.001 Proxy: Internal Proxy for the SOCKS5 mode. Droppers masquerade as TikTok variants distributed via Facebook ads; the final payload impersonates Google Play Services. Dormant code includes the Pine hooking framework and NFC permissions, suggesting contactless-payment interception is in development.

phishing mobile organized-crime europe