A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS intercep
This intelligence was reported by AlienVault OTX on 2026-05-11. The activity is associated with the following threat categories: ton network, trickmo, device takeover, godfather, network pivot, socks5 proxy.
Threats of this type affect organisations that rely on internet-facing infrastructure, cloud services, or employee-facing authentication systems. The window between public disclosure and active exploitation in production environments has narrowed significantly. Security teams that wait more than 48 hours to review new campaigns routinely find themselves responding to incidents that were preventable.
Knowing your organisation's attack surface is the first line of defence. You cannot protect assets you have not mapped.
Organisations running internet-facing services in financial services, critical infrastructure, and enterprise software are the primary targets in campaigns of this type. The techniques involved are not industry-specific. Any organisation with exposed authentication endpoints or unmonitored external assets is a viable target. The threat categories here (ton network, trickmo, device takeover, godfather, network pivot, socks5 proxy) are among the most active in the current landscape.
If you are investigating whether your environment may be affected, the following indicators of compromise have been identified:
c25f7fb9f4e1f5f7c2c9c25c0d827b04df63a73bf700053d47080f07a612f1431e4e8c4289d00e54be118e54e1144ac9ebbf4c79eae15d3974eb669b14737e9aa17fc706bd1a7ec801889a9ec2abecb73e5e8792be68a4e3bc7dcbe1c3f19ac06763682d63aa8c21143c0e12d2aa1bdecde59f273139dd5605d00f61cda7f626224e07390119c026Start with the indicators of compromise above. Run them against your endpoint detection tools, firewall logs, and SIEM. If you find a match, isolate the affected system immediately before taking further action. No matches does not confirm you are unaffected: it means the known indicators were not found. Behavioural analysis and threat hunting are the next steps.
Close exposed services that should not be publicly reachable, rotate credentials that may have been compromised, and enforce MFA on all external-facing authentication. These steps take hours, not weeks, and reduce exposure across a wide range of active campaigns.
Yes. The threat categories involved (ton network, trickmo, device takeover, godfather, network pivot, socks5 proxy) are general-purpose techniques reused across industries. Any organisation that has not reviewed its defences against these specific categories in the past 90 days should treat this as a prompt to do so.
Campaigns that are new today are actively exploiting vulnerable organisations within 24 to 72 hours of public disclosure. Weekly reviews are the minimum. Automated monitoring that surfaces new campaigns in real time gives your team the lead time needed to act before exploitation begins.
