A new TrickMo Android banking trojan variant, dubbed TrickMo C, has shifted its primary command-and-control transport onto The Open Network (TON) Blockchain, routing communications via the network’s .adnl identities to hinder traditional domain takedowns.
The variant, identified by ThreatFabric and tracked in early 2026 during campaigns against banking and wallet users in France, Italy and Austria, relies on an embedded native TON proxy that starts on a loopback port and directs the bot’s HTTP client to an .adnl hostname resolved inside TON rather than public DNS. Clearnet lookups still performed are routed through a public DNS-over-HTTPS endpoint, so queries largely avoid the device’s local resolver.
The network design makes operator endpoints effectively invisible to conventional takedown efforts, with traffic appearing like any other TON-enabled app output. Five operator commands run from the device—curl, dnslookup, ping, telnet and traceroute—along with an embedded SSH client and a SOCKS5 proxy, enabling a programmable network exit on the victim’s device, while the trojan also reserves NFC permissions and the Pine hooking framework for runtime delivery.