Decentralized C2: TrickMo's TON Blockchain Gambit and What It Means for Defenders
We've spent years refining our playbooks for taking down malware command-and-control (C2) infrastructure. Domain registrars, hosting providers, IP blacklists – these are the levers we pull. But what happens when the C2 isn't a domain, isn't an IP, and isn't something you can just call up a registrar about? That's the problem the TrickMo TON blockchain threat, embodied by TrickMo C, just dropped on our desks.
The mainstream narrative, and what I'm seeing echoed on places like r/SecOpsDaily, rightly points out the technical sophistication here. TrickMo, an Android banking trojan that's been around since September 2019, has always been a nasty piece of work. But its latest variant, TrickMo C, tracked by ThreatFabric since January 2026, just changed the game for C2 by adopting the TrickMo TON blockchain strategy for its communications, making our old takedown strategies largely useless.
This isn't about TON being a bad platform; it's a legitimate, decentralized network. The issue is how TrickMo's operators are abusing it with the TrickMo TON blockchain strategy.
How TrickMo's TON Blockchain Became a Malware's Lifeline
Here's what actually happened with the TrickMo TON blockchain variant: TrickMo C, disguised as TikTok or other streaming apps, targets banking and crypto wallet users in France, Italy, and Austria. Once it's on a device, it's a full-blown device-takeover trojan. We're talking credential phishing via WebView overlays, keylogging, screen streaming, remote control, and the ability to silently suppress one-time-password (OTP) notifications. That's bad enough.
But the real headache is how this TrickMo TON blockchain variant talks to its operators.
The malware embeds and starts a native TON proxy on a loopback port right when the process launches. After that, the bot's HTTP client routes all its C2 traffic through this local TON proxy. Instead of reaching out to a regular domain name that resolves via public DNS, the TrickMo TON blockchain implementation sends its C2 requests to .adnl hostnames. These aren't resolved by your typical DNS servers; they're resolved within the TON overlay network itself.
This means:
- No Central Point of Failure: There's no single domain or IP address for us to target for a takedown. The C2 is distributed across a decentralized peer-to-peer network.
- Obfuscated Traffic: From the network edge, this traffic looks like any other encrypted TON-enabled application. It's incredibly difficult to distinguish malicious C2 from legitimate TON activity.
- Bypassing Local DNS: For any clearnet lookups it does need to make, TrickMo C routes them through a public DNS-over-HTTPS endpoint, completely bypassing local DNS resolvers and any network-level filtering you might have in place.
On top of this, the TrickMo TON blockchain variant, TrickMo C, turns infected handsets into programmable network pivots. The operators can issue shell-equivalent commands like curl, dnslookup, ping, telnet, and traceroute directly from the victim's device. It also bundles an SSH client and an on-device SOCKS5 proxy with authentication. This lets the attackers create an authenticated, programmable network exit on the victim's device.
The practical impact of the TrickMo TON blockchain approach: any outbound traffic from the attacker, routed through the victim's device, originates from the victim's IP address. This completely defeats IP-based fraud detection systems. Imagine a fraudulent transaction appearing to come from a legitimate customer's phone, from their home IP. That's a serious problem for banks.
The Real Impact of TrickMo TON Blockchain on Defense
The shift to TrickMo TON blockchain for C2 isn't just a technical curiosity; it fundamentally changes how we approach detection and response for this kind of threat.
- Takedowns are Dead (for C2): Our traditional methods of disrupting C2 infrastructure by going after domains or hosting providers are largely ineffective here. We can't just call up TON and ask them to shut down an
.adnladdress. - Network Detection Gets Harder: Identifying malicious TrickMo TON blockchain traffic becomes a lot more complex when it's indistinguishable from legitimate decentralized network traffic. We can't rely on simple IP or domain blacklists.
- Fraud Detection is Blinded: The ability to use victim devices as authenticated SOCKS5 proxies means that IP-based fraud detection is severely hampered. This directly impacts financial institutions.
- Future Capabilities: TrickMo C also declares full NFC permissions and bundles the Pine hooking framework, even though these aren't active yet. This tells me the operators are provisioning for future runtime delivery of even more advanced capabilities, potentially for contactless payment fraud or deeper system manipulation.
What We Do Now: Countering the TrickMo TON Blockchain Threat
This move by the TrickMo TON blockchain variant, TrickMo C, means we have to rethink our defensive strategies.
First, we need to shift focus from network-level C2 detection to on-device behavioral analysis. If we can't reliably block the C2 traffic at the network edge, we need to get better at spotting the malware's activity on the endpoint itself. This means enhanced EDR for Android, looking for unusual accessibility service abuse, unexpected process launches (like the TON proxy), and suspicious network connections from legitimate apps.
Second, threat intelligence needs to evolve. We need to understand how these decentralized networks are being abused, not just by the TrickMo TON blockchain threat but by other actors. Sharing indicators of compromise (IOCs) that go beyond traditional IP addresses and domains, focusing on application behaviors and specific .adnl patterns, becomes essential.
Third, for financial institutions, fraud detection needs to move beyond IP attribution. We need more sophisticated behavioral analytics that look at transaction patterns, device fingerprints, and user interaction anomalies, rather than just relying on the source IP.
This isn't a hypothetical threat. The TrickMo TON blockchain variant, TrickMo C, is active right now, targeting users in Europe. The fact that it's using TON shows a clear, methodical evolution in how sophisticated Android malware operates. We can't keep fighting the last war. Defenders need to adapt to this new reality where C2 infrastructure, like the TrickMo TON blockchain, can be as resilient and decentralized as the networks it abuses. The old playbook is broken, and it's time to write a new one.
