MALWARE FAMILY💰 FINANCIALHIGH

Tinba

Internal ID: win.tinba
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

F-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.

If Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user's browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.

Tinba may also display socially-engineered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately.

Threat Analysis

Tinba is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

Financially motivated threat actors like Tinba prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, Tinba is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeMalware Family
Motivation💰 financial
Sophisticationhigh
Aliases1

Also Known As

win.tinba

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.