Summary

The article discusses a new variant of the TrickMo Android banking trojan that utilizes The Open Network (TON) for command-and-control (C2) operations. This variant has been targeting banking and cryptocurrency wallet users in several European countries.

Key Points

• A new version of the TrickMo trojan has been identified by ThreatFabric.
• The trojan uses The Open Network (TON) for its command-and-control (C2) infrastructure.
• Active targeting of users in France, Italy, and Austria was observed between January and February 2026.
• TrickMo employs a runtime-loaded APK (dex.module) to execute its malicious activities.

Analysis

The emergence of this new TrickMo variant highlights the evolving tactics of cybercriminals in leveraging decentralized networks like TON for C2 operations. This approach can make it more challenging for security teams to detect and mitigate such threats, as decentralized networks offer resilience against traditional takedown efforts. The focus on banking and cryptocurrency users underscores the financial motivations behind these attacks.

Conclusion

IT professionals should enhance monitoring and detection capabilities for decentralized network traffic and ensure robust security measures are in place for banking and cryptocurrency applications. Regular updates and threat intelligence sharing are crucial to staying ahead of such evolving threats.