TCLBANKER Trojan Hits Banks via WhatsApp and Outlook

Emily Davis · 2026-05-08

A new banking trojan called TCLBANKER is making waves in the cybersecurity world. It targets 59 different financial platforms including banks, fintech apps, and cryptocurrency exchanges. Security researchers at Elastic Security Labs are tracking this threat under the code name REF3076. They believe it's a major upgrade to an older malware family known as Maverick. What makes TCLBANKER especially dangerous is how it spreads. It uses a worm called SORVEPOTEL that can propagate through WhatsApp and Outlook. That means it can reach a lot of people quickly without needing much interaction from attackers. Once it infects a device, it can steal login credentials, intercept two-factor authentication codes, and even hijack browser sessions. ### How TCLBANKER Infects Devices The infection chain usually starts with a phishing message. You might get a WhatsApp message from a friend or colleague that looks legitimate but contains a malicious link or attachment. Or it could come through an Outlook email that seems urgent or important. Once you click, the worm kicks in and starts spreading to your contacts automatically. This worm behavior is what makes it so effective. It doesn't just rely on you making a mistake once. It uses your trust network to keep spreading. So even if you're careful, someone you know might accidentally send it your way. That's why it's crucial to always double-check unexpected messages, even from people you trust.  ### Targets: 59 Platforms and Counting TCLBANKER doesn't discriminate. It goes after all kinds of financial services. Here's a quick breakdown of the types of platforms it targets: - Traditional banks (both online and mobile) - Fintech apps like payment processors and lending platforms - Cryptocurrency exchanges and wallets - Investment and trading platforms That's a wide net. And it's not just about stealing money directly. The malware can also grab personal information that can be used for identity theft or sold on the dark web. So even if you don't lose cash right away, your data is at risk.  ### Why This Matters for Antidetect Browser Users If you're using antidetect browsers for privacy or business reasons, this threat is especially relevant. Antidetect browsers help you manage multiple accounts and keep your digital fingerprint separate. But they're not immune to malware like TCLBANKER. No browser can protect you if you download a malicious file or click a bad link. That's why combining antidetect browser tools with good security habits is so important. Think of it like this: an antidetect browser is like a secure car, but you still need to drive carefully to avoid accidents. ### How to Protect Yourself Here are some practical steps you can take right now to stay safe from TCLBANKER and similar threats: - Be skeptical of unexpected messages, even from contacts you know. If something feels off, verify through another channel. - Don't click links or download attachments in WhatsApp or Outlook unless you're absolutely sure they're safe. - Use strong, unique passwords for all your financial accounts. A password manager can help. - Enable two-factor authentication wherever possible, but use an authenticator app instead of SMS when you can. - Keep your operating system, browser, and antivirus software up to date. - Consider using a dedicated antidetect browser for sensitive activities to reduce your digital footprint. ### The Bottom Line TCLBANKER is a serious threat that shows how malware keeps evolving. It's not just about stealing passwords anymore. It's about exploiting trust and spreading through the tools we use every day. Staying safe means staying informed. Keep an eye on security news, update your software regularly, and always think before you click. And if you're using antidetect browsers, remember they're a tool, not a shield. They work best when paired with smart habits and a healthy dose of caution. Stay safe out there.