CYBERSECURITY researchers have flagged a new TrickMo variant that uses The Open Network (TON) for its command-and-control communications, as observed by ThreatFabric between January and February 2026. The variant is actively targeting banking and cryptocurrency wallet users in France, Italy and Austria, and adds network-oriented functionality such as reconnaissance, SSH tunnelling and SOCKS5 proxying to turn infected devices into programmable network pivots and traffic-exit nodes.
The latest versions, dubbed TrickMo C, are distributed via phasing websites and dropper apps, with a dynamically loaded APK retrieved at runtime from attacker-controlled infrastructure; it embeds a TON proxy that the host APK starts on a loopback port, routing outbound C2 requests to an adnl hostname via the TON overlay, according to ThreatFabric. Dropper apps pretend to be TikTok in adult variants, while the malware masquerades as Google Play Services.
ThreatFabric notes two dormant features that bundle the Pine hooking framework and NFC-related permissions, though neither is implemented yet, suggesting potential future expansion. according to ThreatFabric.