The latest variant of TrickMo, an Android banking trojan discovered in early 2026, has adopted an infrastructure approach that reflects a broader shift in how financially motivated threat actors hide their operations: using The Open Network (TON) blockchain as a command-and-control (C2) platform. This move, documented by researchers at ThreatFabric, highlights a growing tension between blockchain's decentralisation properties and its appeal to malicious actors seeking resilience against takedown efforts.
From Centralised Servers to Distributed Networks
Historically, banking trojans like TrickMo relied on traditional web infrastructure—rented VPS instances, compromised servers, or bulletproof hosting providers—to relay commands to infected devices. These setups, whilst operationally flexible, remain vulnerable to law enforcement and cybersecurity firms that can identify, seize, or block the command-and-control servers.
By migrating to TON, TrickMo's developers gain several practical advantages. A blockchain-based C2 channel is not hosted on any single server that can be taken offline. Commands can be embedded in smart contracts or transactions, distributed across thousands of nodes. Blocking such communications requires either blocking the entire blockchain network (which is infeasible for private users) or identifying and disrupting the specific contract addresses—a more complex technical problem than shutting down an IP address.
The variant observed in France, Italy, and Austria between January and February 2026 also employs SOCKS5 proxying to further obfuscate traffic and establish network pivots. This combination—blockchain C2 plus proxy chains—allows the trojan to compartmentalise its infrastructure and make traffic analysis significantly more difficult for defenders.
The Runtime APK Loading Problem
One of TrickMo's core mechanics is runtime-loaded APK modules, including a dex module that is fetched and executed dynamically after the initial infection. This approach allows operators to update the trojan's functionality without requiring users to reinstall the malicious application, and it complicates static analysis by security tools. When the dex module is fetched via a TON-based C2, the update vector itself becomes decentralised and harder to monitor.
For hosting infrastructure operators, this creates a secondary concern: infected devices on customer networks may attempt to contact TON nodes or proxy infrastructure, consuming bandwidth and potentially triggering abuse complaints. Traditional DDoS mitigation and network monitoring tools often struggle with blockchain-based traffic because it blends legitimate peer-to-peer communication with malicious payload delivery.
Why Blockchain Attracts Threat Operators
The appeal of blockchain infrastructure to threat actors extends beyond just TrickMo. Ransomware groups have long used cryptocurrency for ransom payments, but the shift toward blockchain-native C2 represents a deeper structural preference: elimination of centralised chokepoints. A traditional hosting provider can be pressured by law enforcement, payment processors can be sanctioned, and ISPs can be compelled to null-route malicious traffic. Blockchain networks, by design, resist such pressure.
However, this comes with operational trade-offs. Blockchain networks are slow, publicly auditable (in the case of non-private chains like TON), and require careful operational security to avoid deanonymisation through on-chain analysis. Sophisticated threat actors must still obscure the link between wallet addresses and actual command messages, typically through additional layers of encryption and proxying.
The SOCKS5 component in this TrickMo variant suggests the operators are aware of these limitations and are adding network-layer obfuscation to compensate. SOCKS5 proxies allow the malware to relay traffic through intermediary systems, making the true destination of communications difficult to determine without deep packet inspection.
Implications for Network Security and Monitoring
For organisations operating servers and infrastructure, the prevalence of blockchain-based C2 means that traditional firewall rules blocking known C2 addresses become less effective. A sufficiently motivated defender might choose to block all TON traffic entirely (though this would also block legitimate TON wallet applications), but such measures are coarse-grained and easily circumvented through additional proxying layers.
Detection now requires deeper application-layer inspection, threat intelligence sharing regarding blockchain addresses used for C2, and close monitoring of proxy outbound connections. Mobile device management (MDM) systems deployed on company networks should flag applications attempting to contact blockchain nodes without legitimate business justification.
ThreatFabric's research suggests that the TrickMo operators are not alone in this approach. As law enforcement pressure on traditional hosting providers increases, and as blockchain infrastructure becomes more accessible, expect other financially motivated threat actors to adopt similar patterns. For infrastructure operators and security teams, this represents a shift in the operational landscape—one where distributed networks, not centralised servers, define the boundary between legitimate and malicious infrastructure.
