ThreatFabric researchers have identified a new TrickMo Android banking trojan variant that routes command-and-control communications through The Open Network (TON) blockchain, marking the first documented deployment of decentralized blockchain infrastructure as a C2 channel in a major mobile banking malware family.
How Trickmo.C Uses TON Blockchain to Defeat Traditional Takedown Operations
ThreatFabric published its analysis of Trickmo.C on May 11, 2026, describing how the variant embeds a local TON proxy on infected Android devices. Traditional command-and-control takedowns rely on DNS blocking, domain seizures, or IP-level network filtering — approaches that are structurally ineffective against TON’s 256-bit decentralized identifier system, which conceals operator IP addresses and ports within a peer-to-peer overlay network. ThreatFabric assessed that this design makes “traditional domain takedowns largely ineffective” against the variant.
The shift represents a direct response by TrickMo’s operators to law enforcement infrastructure disruption tactics. By embedding the proxy locally on the device rather than relying on a fixed external relay, the malware maintains C2 connectivity even when individual TON network nodes go offline.
Trickmo.C Technical Capabilities: SSH Tunneling, SOCKS5, and NFC Declarations
The Trickmo.C variant adds a suite of networking capabilities absent from earlier TrickMo versions. New commands include curl, dnsLookup, ping, telnet, and traceroute, enabling the malware to conduct active network reconnaissance from within the victim’s environment. Beyond passive diagnostic functions, Trickmo.C supports SSH tunneling with both remote and local port forwarding, as well as authenticated SOCKS5 proxy functionality — capabilities more commonly associated with advanced persistent threat toolkits than consumer banking trojans.
The variant also includes inactive hooks for Pine runtime hooking, which ThreatFabric noted as forward-looking placeholders indicating expansion plans, and extensive NFC permission declarations. NFC access on Android devices could enable tap-to-pay transaction interception or contactless relay attacks — a capability not yet activated in the version analyzed but present in the codebase as declared intent.
European Banking Targets and Fake Streaming App Distribution
Trickmo.C is distributed disguised as TikTok or streaming applications, appearing in third-party app stores and phishing delivery campaigns rather than Google Play. Primary targets are banking customers and cryptocurrency wallet users in France, Italy, and Austria — consistent with TrickMo’s established European banking focus, which dates to the trojan’s initial identification in 2019.
TrickMo has undergone repeated technical evolution across multiple variants. The shift to blockchain-based C2 is assessed by ThreatFabric as the most significant infrastructure escalation in the malware’s operational history. The NFC permission declarations and inactive runtime hooks suggest operators are building toward expanded capabilities, potentially including real-time screen overlay attacks targeting mobile banking authentication flows.
Why TON-Based C2 Changes the Disruption Calculus for Banking Malware
The practical consequence of TON-hosted C2 is that no single point of network infrastructure can be seized or blocked to disrupt operator communications. Law enforcement actions that previously succeeded against banking trojans — coordinating with registrars to seize domains, ordering ISPs to block known C2 IP addresses, or working with hosting providers to take servers offline — are structurally ineffective against a decentralized blockchain overlay.
ThreatFabric noted that the TON integration effectively converts every infected device into a relay node within the C2 mesh, further increasing the network’s resilience to partial takedowns. The addition of authenticated SOCKS5 proxy capability means compromised devices can also serve as pivot points for attackers targeting other systems on the victim’s local network segment.
The Trickmo.C analysis was originally initiated in January 2026, with ThreatFabric publishing its full findings on May 11, 2026. No specific threat actor was publicly attributed to the variant’s operation at the time of publication.
