Published on May 9, 2026
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms
Severity
Medium
Detail
Researchers have identified a new Brazilian banking trojan named TCLBANKER, tracked by Elastic Security Labs as REF3076. The malware targets 59 banking, fintech, and cryptocurrency platforms and is believed to be a major evolution of the Maverick malware family linked to the Water Saci threat cluster.
TCLBANKER combines advanced anti-analysis techniques, credential theft capabilities, and large-scale propagation through hijacked WhatsApp and Microsoft Outlook sessions.
How?
The infection begins with a malicious ZIP archive containing an MSI installer that abuses Logitech’s signed “Logi AI Prompt Builder” application for DLL side-loading. A malicious DLL named “screen_retriever_plugin.dll” is then executed as the primary loader.
Before deploying its payload, the malware performs multiple anti-analysis checks to detect debuggers, sandboxes, antivirus products, and virtualized environments. It also verifies the system language is set to Brazilian Portuguese, removes security hooks from “ntdll.dll,” and disables Event Tracing for Windows (ETW) to evade detection.
Once active, TCLBANKER establishes persistence through scheduled tasks and communicates with command-and-control servers using HTTP POST and WebSocket connections. The malware continuously monitors browser URLs across Chrome, Edge, Firefox, Brave, Opera, and Vivaldi, comparing visited sites against a hard-coded list of targeted banking and cryptocurrency platforms.
If a match is detected, attackers can remotely execute commands, capture screenshots, launch keyloggers, manipulate the clipboard, control the mouse and keyboard, and deploy fake credential-harvesting overlays designed to mimic banking portals or Windows update screens.
In parallel, a worming module hijacks authenticated WhatsApp Web and Microsoft Outlook sessions to distribute phishing messages and malicious installers directly from the victim’s own accounts to their contacts, helping the malware bypass traditional reputation-based security controls.
Conclusion
TCLBANKER demonstrates the growing sophistication of Brazilian banking trojans by combining advanced defense evasion, real-time remote control, and trusted-channel propagation through compromised messaging and email accounts.
Organizations should monitor for suspicious DLL side-loading, ETW tampering, unusual scheduled task creation, browser automation activity, and unauthorized Outlook or WhatsApp behavior. Strengthening EDR monitoring, enforcing MFA, and improving phishing awareness remain critical to mitigating threats like TCLBANKER.
Source
https://thehackernews.com/2026/05/tclbanker-banking-trojan-targets.html