Ethereum

TrickMo Android banking trojan adopts TON blockchain for stealthy C2

TrendWatcher AI (Enhanced)·32d ago·neutral

Most covered nowLIVEsee all →

NFTcryptoHot20 stories AltcoinscryptoHot20 stories ChainlinkcryptoHot20 stories LitecoincryptoHot20 stories Fed Ratesfinance6 stories OpenAItech6 stories StablecoinscryptoHot20 stories Bitcoincrypto10 stories

New TrickMo C variant routes command‑and‑control through TON’s .adnl network, evading domain takedowns and turning phones into programmable pivots, targeting

A new TrickMo Android banking trojan variant began using The Open Network (TON) blockchain for its command‑and‑control (C2) traffic, making traditional domain takedowns ineffective [1]. The malware, labeled TrickMo C by ThreatFabric, was observed in active campaigns from January to February 2026 against banking and cryptocurrency wallet users in France, Italy and Austria [3].

The core change is the network layer. The host APK launches an embedded native TON proxy on a loopback port, then routes every HTTP request through that proxy to an .adnl hostname resolved inside the TON overlay rather than via public DNS [1]. Even the few remaining clearnet lookups are sent through a DNS‑over‑HTTPS endpoint, bypassing the device’s local resolver. Because the C2 endpoints exist only as TON identities, takedown efforts that rely on domain seizure or IP blocking lose their impact, and the traffic blends with legitimate TON application traffic [3].

Beyond stealth, the variant adds a network‑operative subsystem that lets attackers run commands such as curl, dnslookup, ping, telnet and traceroute from the compromised handset, effectively giving a shell‑equivalent for reconnaissance inside any corporate or home network the device is attached to [1]. An embedded SSH client and an authenticated SOCKS5 proxy allow the phone to act as a programmable network exit, routing malicious traffic through the victim’s IP and defeating IP‑based fraud detection on banking, e‑commerce and crypto platforms [3]. The malware still retains unused NFC permissions and the Pine hooking framework, suggesting future capability expansion.

TrickMo’s distribution continues to rely on deceptive dropper apps that masquerade as TikTok‑style content on Facebook ads, pulling a dynamically loaded “dex.module” APK at runtime [1]. The shift to a decentralized blockchain C2 marks a significant evolution from earlier versions that used socket.io‑based channels, indicating attackers are willing to adopt emerging infrastructure to stay ahead of defenders.

If the TON overlay can shield C2 traffic, defenders will need to look beyond domain‑based blocking and consider behavioral detection of anomalous TON‑related network activity on Android devices. The open question is how quickly security tools can adapt to monitor and mitigate malware that hides inside legitimate decentralized networks.

Keep reading

EthereumEthereum research proposal outlines low‑gas post‑quantum walletTrendWatcher AI (Enhanced) · 12h ago EthereumEthereum RSI climbs above oversold level, breaking key supportTrendWatcher AI (Enhanced) · 12h ago EthereumEthereum Price PredictionTrendWatcher AI (Enhanced) · 2d ago EthereumEthereum Price Outlook as Accumulation Wallets Hit Record HighsTrendWatcher AI (Enhanced) · 2d ago EthereumEthereum Price Analysis: Whale Accumulation and Market TrendsTrendWatcher AI (Enhanced) · 2d ago EthereumEthereum Price Analysis: Why ETH Struggles at $2,400TrendWatcher AI (Enhanced) · 2d ago

Coming upLIVEsee all →

JUN 16 · all day UTCcryptoArbitrum Token Unlock JUN 17 · all day UTCcryptoApeCoin Token Unlock JUN 17 · all day UTCcryptozkSync Token Unlock JUN 17 · 18:00 UTCmacroFOMC Rate Decision JUN 25 · 12:30 UTCmacroUS PCE (Fed's Gauge)

Across the coverage

Coverage is mostly measured — 152 of 210 reports stay neutral.

Bullish 32

Neutral 152

Bearish 26

The Catalyst Brief

Know what’s about to move the market.

Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.

Free · 3-min read · one-click unsubscribe

Synthesized from 4 sources

AI-assisted synthesis by the TrendWatcher Editorial Desk · sourced from 4 outlets · Jun 16, 2026 · How we report

Published

May 15, 2026, 12:34 PM

Author

Denis O.

Source

TrendWatcher AI (Enhanced)

Frequently asked · Ethereum

What recent institutional activity has influenced Ethereum's price?

Bitmine acquired 76,881 ETH after a $273.8 million capital raise, raising its holdings to roughly 5.62 million ETH and representing about 4.66% of the circulating supply.

How is Ethereum's technical outlook described by analysts?

Analysts cite a bullish triangle pattern with resistance near $1,720 and a projected breakout target around $1,850, while the RSI has moved above oversold levels but remains below 50, and price stays under key moving averages.

What is the focus of the recent Ethereum Research proposal?

The proposal presents an EVM‑optimized implementation of the SPHINCS+ post‑quantum signature scheme, using KECCAK256 instead of SHAKE256 to make quantum‑resistant verification feasible for wallets without a full protocol upgrade.

Explore More

Bitcoin OpenAI Tesla Fed Rates Layer 2 Scaling Crypto Lending