In the evolving landscape of cybercrime, the line between personal communication and professional risk has blurred significantly. Financial institutions and their customers are currently facing a formidable new adversary: the TCLBANKER Banking Trojan. Identified and tracked by researchers as the REF3076 threat actor, this malware represents a sophisticated evolution in the lineage of Brazilian banking trojans, specifically building upon the legacy of the infamous ‘Maverick’ malware family.

What makes TCLBANKER particularly alarming is not just its payload, but its distribution strategy. By leveraging the SORVEPOTEL worm, this threat has transitioned from traditional, labor-intensive phishing campaigns to an automated, self-propagating model that turns trusted communication platforms like WhatsApp and Outlook into vectors for infection.

Introduction: The Emergence of TCLBANKER

The REF3076 threat actor has demonstrated a high level of operational maturity. Their flagship creation, TCLBANKER, is designed to target 59 unique financial entities. This diverse target list includes traditional banking institutions, modern fintech applications, and high-value cryptocurrency wallets. By casting such a wide net, the attackers are optimizing their return on investment, capturing credentials from both legacy account holders and the next generation of digital asset users.

The evolution from the original Maverick malware is stark. While Maverick relied heavily on static, manual distribution techniques, TCLBANKER is dynamic. It is a modular trojan designed to survive in high-security environments, specifically engineered to bypass existing financial security layers that standard banking trojans often struggle to penetrate.

Infection Vectors: WhatsApp and Outlook Exploitation

The most distinctive feature of the current REF3076 campaign is the use of the SORVEPOTEL worm. This component acts as the delivery mechanism, automating the spread of the infection across a target’s digital ecosystem.

The SORVEPOTEL Worm Functionality

Unlike traditional malware that requires a user to download and execute a malicious payload, the SORVEPOTEL worm exploits the social trust inherent in our daily communication apps. Once a device is compromised, the worm performs two primary actions:

• WhatsApp Propagation: It scans the user’s contact list and automatically sends malicious messages to friends, colleagues, and professional connections. Because these messages originate from a trusted source, the likelihood of a recipient clicking a malicious link is exponentially higher.
• Outlook Distribution: It infects the user’s email client, silently attaching malicious documents or links to outgoing emails. This turns a single endpoint compromise into a distribution hub that can penetrate corporate networks.

These techniques leverage social engineering at scale, ensuring that the malware can traverse network boundaries that firewalls were never designed to police effectively.

Technical Deep Dive: Capability and Architecture

TCLBANKER is not just a delivery mechanism; it is a full-featured suite for financial espionage. At its core, the trojan employs advanced keylogging and screen scraping features. This allows the REF3076 group to capture not just usernames and passwords, but also two-factor authentication (2FA) codes and sensitive account activity that would be missed by simpler malware.

Bypassing Security Layers

Financial platforms have spent billions on multi-layered security, yet TCLBANKER finds ways around them. The modular architecture of the trojan allows the REF3076 group to push updates to compromised machines in real-time. If a security vendor releases a patch or a detection signature for one module, the attackers can simply rotate the module, rendering the previous security update obsolete.

Strategic Risk Mitigation for Financial Enterprises

For IT decision-makers, the emergence of the SORVEPOTEL worm requires a fundamental shift in defensive strategy. Traditional perimeter security is no longer enough to contain a threat that propagates through internal communication channels.

1. Strengthening Email Gateway Security

Given the reliance on Outlook for the initial infection, organizations must implement robust email filtering that goes beyond simple spam detection. This includes sandboxing email attachments and utilizing behavioral analysis to detect when an email client is being used to initiate unauthorized network activity.

2. Employee Awareness Training

Technical controls are essential, but the human element remains the weakest link. Employees should be specifically educated on the risks of receiving unexpected attachments—even from known contacts. The “trust-but-verify” principle must become standard operating procedure when interacting with links or files sent via messaging platforms like WhatsApp.

3. Optimizing Endpoint Detection and Response (EDR)

EDR configurations must be tuned to look for the behavior of the SORVEPOTEL worm. Security teams should monitor for anomalous script execution (such as PowerShell or VBScript) being spawned by communication applications. Detecting the process hierarchy—where Outlook or WhatsApp initiates a shell—is often the key to spotting an active infection.

The Changing Landscape of Banking Trojans

The move toward wormable financial malware is a significant shift in the cybersecurity landscape. We are seeing a move away from ‘spray and pray’ phishing to highly targeted, automated propagation techniques. The REF3076 group is likely testing this model on a small scale, and if successful, we can expect other threat actors to adopt similar wormable features in their own banking trojans.

Financial institutions, fintech firms, and crypto platforms must recognize that they are all in the crosshairs. The cross-platform nature of this threat suggests that defenders must move toward a more integrated, zero-trust security architecture where every endpoint is considered a potential source of infection.

FAQ

What makes TCLBANKER different from other banking trojans?

Unlike traditional banking trojans that rely on singular phishing emails or manual downloads, TCLBANKER utilizes the SORVEPOTEL worm to self-propagate through professional and personal communication channels, turning a single infection into a network-wide risk.

How can organizations defend against the SORVEPOTEL worm?

Defenses should focus on advanced EDR solutions to identify anomalous processes, restricting the execution of unauthorized scripts, and implementing strict email security policies that sandbox all incoming attachments.

Which platforms are most at risk from the REF3076 group?

The TCLBANKER trojan specifically targets 59 distinct platforms, including traditional banking portals, modern fintech applications, and cryptocurrency wallets. Any user of these services, particularly those who use desktop versions of messaging apps, should be on high alert.

Is the SORVEPOTEL worm capable of lateral movement?

Yes, by leveraging the contact lists and communication patterns inherent in Outlook and WhatsApp, the worm can move laterally across both personal and professional networks, making it particularly dangerous in remote-work or hybrid-office environments.

<p>The post TCLBANKER Banking Trojan: How the SORVEPOTEL Worm Spreads first appeared on Cyberwave Digest- Real-Time Cybersecurity News & Threat Alerts.</p>

The mobile threat landscape has reached a new level of sophistication. As security professionals, we have long monitored TrickMo, a notorious Android banking trojan known for its ability to harvest credentials and manipulate accessibility services. However, the discovery of a new TrickMo variant in early 2026 has sent shockwaves through the cybersecurity community. By integrating The Open Network (TON) blockchain for Command and Control (C2) and implementing SOCKS5 proxy capabilities, this malware is no longer just stealing data—it is actively transforming infected mobile devices into pivot points for wider network exploitation.

The Evolution of TrickMo

TrickMo has historically been categorized as a persistent and dangerous banking trojan. Its primary modus operandi involved overlay attacks and screen recording to intercept one-time passwords (OTPs) and banking credentials. Over the years, its developers have consistently refined its obfuscation techniques to evade Google Play Protect and signature-based antivirus engines.

The 2026 update represents a paradigm shift. Rather than relying on traditional, easily sinkhole-able C2 servers, the threat actors behind this version have pivoted toward decentralized infrastructure. This evolution highlights a broader trend: cybercriminals are increasingly adopting decentralized web technologies to make their C2 traffic resilient against takedowns and network filtering. This is not just a nuisance for end-users; it is a significant strategic threat to enterprise network integrity.

Technical Deep Dive: The TON C2 Infrastructure

One of the most concerning features of this variant is its use of the TON C2 infrastructure. By leveraging the TON blockchain, the malware achieves a degree of anonymity and persistence that traditional malware often lacks. Instead of reaching out to a static IP address or a registered domain—which can be easily blocked by firewalls or DNS filtering—the malware communicates via blockchain-based addresses.

Why Decentralized C2 Matters

• Evasion of Network Controls: Since traffic is directed toward blockchain nodes or APIs, security systems may inadvertently whitelist this traffic as legitimate “crypto” activity.
• Resilience: The decentralized nature of TON means there is no single “kill switch” for the infrastructure. Taking down one node does not stop the malware from communicating.
• Dynamic Loading: The malware utilizes a runtime-loaded dex.module. By downloading malicious code directly into memory, the malware minimizes its footprint on the device’s storage, effectively bypassing static analysis tools that look for malicious APK files.

Advanced Persistence and Network Pivoting

Perhaps the most alarming development is the implementation of SOCKS5 proxy functionality. By turning an infected Android device into a SOCKS5 proxy, attackers can route their malicious traffic through the victim’s network. This effectively hides the origin of the attack and allows the adversary to bypass geo-blocking or IP-based access controls on corporate or home networks.

When an Android phone is connected to an enterprise Wi-Fi network, the device acts as a gateway. If that device is compromised, an attacker can use the SOCKS5 proxy to scan the internal network, attempt to move laterally, or access internal-only services that were never intended to be exposed to the public internet. This elevates TrickMo from a banking threat to a comprehensive mobile threat intelligence concern for IT decision-makers.

Threat Scope: Targeted Regions and Objectives

According to recent reports, the activity window for this variant was heavily concentrated between January and February 2026. The attackers demonstrated a clear focus on the European market, with significant activity detected in France, Italy, and Austria. The primary targets remain financial applications and cryptocurrency wallets, confirming that the economic motivation remains the core driver for these campaigns.

By focusing on regions with high digital banking adoption, the attackers maximize their return on investment. The transition toward network-level pivoting suggests that while they are currently focused on banking theft, they are building the infrastructure necessary to conduct much larger, multi-stage attacks in the future.

Mitigation and Defensive Strategies

Defending against an Android banking trojan that utilizes advanced network techniques requires a multi-layered approach. Because the malware abuses legitimate Android Accessibility Services to perform its tasks, simple permissions management is often insufficient.

Best Practices for Security Professionals

• Endpoint Monitoring: Implement Mobile Threat Defense (MTD) solutions that can detect anomalous memory execution and unauthorized use of accessibility services.
• Network Traffic Analysis: Look for unusual SOCKS5-style traffic patterns originating from mobile devices. Because SOCKS5 often facilitates unconventional data flows, egress filtering and anomaly detection are critical.
• Zero Trust for Mobile: Treat mobile devices as untrusted endpoints. Do not allow mobile devices direct, unauthenticated access to sensitive internal resources. Implement per-app VPNs or robust identity-aware proxy (IAP) systems.
• Educate Users: While technical controls are vital, users must be warned against side-loading APKs from unknown sources, which remains the primary delivery vector for TrickMo.

As ThreatFabric researchers have noted, the modularity of this variant is its greatest strength. By separating the downloader from the functional payload, the developers are making it increasingly difficult for signature-based detection to keep pace. Organizations must shift their focus toward behavioral analysis and real-time network monitoring.

Conclusion: Staying Ahead of 2026 Threats

The latest TrickMo variant serves as a stark reminder that mobile malware is no longer confined to the screen of the victim’s device. Through the clever integration of the TON blockchain and SOCKS5 proxying, attackers are expanding their reach into the internal networks of businesses and homes alike. Protecting against this level of sophistication requires an proactive, intelligence-driven approach that prioritizes network visibility and zero-trust principles.

FAQ

What is TrickMo?

TrickMo is an Android banking trojan designed to steal credentials and facilitate unauthorized transactions by abusing accessibility services and overlaying legitimate apps.

How does the TON C2 work?

The malware leverages the TON blockchain’s decentralized architecture to send and receive commands, making the C2 traffic harder to block compared to traditional static IP or domain-based C2 servers.

Why is the use of SOCKS5 in mobile malware dangerous?

SOCKS5 allows attackers to route their traffic through an infected device, effectively masking their origin and enabling them to access internal network resources from an external position.

How can I detect if my network is being used for proxying?

Monitor your network logs for unusual, high-volume, or sustained outbound connections from mobile devices, particularly those that do not align with normal user behavior or authorized application traffic.

<p>The post New TrickMo Variant: How TON C2 & SOCKS5 Threaten Android Security first appeared on Cyberwave Digest- Real-Time Cybersecurity News & Threat Alerts.</p>