A banking trojan propagating via WhatsApp worms to 59 named financial platforms is not a targeting problem. It is a distribution problem: TCLBanker does not need to find its victims, because its victims are already in each other's contact lists. The worm mechanism exploits group-chat infrastructure that APAC financial institutions normalized during the 2020-2022 remote-work expansion and never formally reviewed under acceptable-use policy; the trojan reaches a compliance officer by traveling first through the relationship manager three desks over.

The Privacy Commissioner's office frames mandatory breach notification as closing an accountability gap. The gap TCLBanker is exploiting is different: no MAS TRM obligation, no HKMA supervisory circular, and no provision in Hong Kong's tightening cyber framework currently requires an institution to audit whether WhatsApp Desktop is permitted to spawn child processes on a regulated-activity workstation. The control that changes this outcome is an endpoint management profile that prevents messaging application processes from executing external payloads, a configuration change that costs an afternoon to deploy and requires no new legislation to mandate.