Retefe Banking trojan is a malware typically spread through email attachments disguised as an order or invoice-type document. Once the malware has infected a device, it installs several components, including the Tor network browser, and uses these to create a proxy for targeting banking sites. When the victims attempt to access their online banking website, they are redirected to a spoofed version of the website instead. Retefe utilizes a fake root certificate that is displayed as if it has been issued and verified by certificate authority, Comodo, making it even more difficult for victims to recognize the spoofed site. The trojan has also been observed attempting to trick users into installing the Spy Banker malware. This component is used to bypass two-factor authentication. A similar Retefe variant uses the Tor2web service for anonymization without using the Tor browser. All major browsers are affected by the Retefe trojan, including Google Chrome, Internet Explorer, and Mozilla Firefox. Retefe has targeted UK, Swiss, and Austrian banking customers.

ESET provides an automated “Retefe Checker” as well as instructions for manually determining if you’ve been a victim of the trojan. ESET also lists the domains that have been targeted by Retefe.


  • November 2016: Retefe trojan targeted Tesco Bank and other UK financial institutions. (ESET)

  • September 2017: Updated Retefe trojan leverages the EternalBlue exploit in campaign against Swiss targets. A Mac OS compatible version of the trojan was also distributed between June and August 2017. (Proofpoint)

  • May 2019: Retefe trojan returns with more regular attacks with both a Windows and macOS version and is distributed through fake app installers. (Proofpoint)

Technical Details

  • Avast provides technical details and revolution of the Retefe banking trojan, here.


Examples of the Retefe Banking trojan. Image Source: ESET

Trojan VariantsNJCCICRetefe