Overview
- ThreatFabric, which reported the change Monday, says the latest TrickMo build tracked as TrickMo C now sends commands over The Open Network using an on‑device TON proxy and .adnl identities.
- Researchers say the TON overlay hides operator servers from public DNS and makes the malware’s traffic blend with legitimate TON use, weakening domain takedowns and simple network blocks.
- The campaigns observed in January and February targeted banking and crypto wallet users in France, Italy and Austria using TikTok‑themed lures delivered via Facebook ads and dropper sites.
- New operator tools such as curl, dnslookup, ping, telnet, traceroute, SSH tunneling and an authenticated SOCKS5 proxy let attackers probe networks and route actions through the victim’s IP address.
- TrickMo remains a modular device‑takeover trojan with overlays, keylogging, screen streaming and OTP interception, and dormant Pine and NFC components suggest the operators may add features later.