Ethical Hacking News
A new banking trojan named TCLBanker has emerged, targeting 59 different platforms and spreading rapidly across WhatsApp and Outlook. With its extensive capabilities and sophisticated overlay system, TCLBanker provides cybercriminals with a wide range of features that can be used to steal sensitive information or disrupt operations. The malware's ability to propagate autonomously to contacts linked to the primary victim makes it a highly contagious threat, and its potential for expansion is high.
TCLBanker is a new banking trojan spreading rapidly across WhatsApp and Outlook. The malware targets 59 different platforms, providing cybercriminals with features to steal sensitive information. The primary method of infection is through a trojanized MSI installer for Logitech AI Prompt Builder. TCLBanker includes self-spreading worm modules, allowing it to automatically infect new victims without user intervention. The malware offers extensive capabilities, including live screen streaming and remote mouse/keyboard control. The trojan can push fake credential prompts and overlay systems to make detection difficult. TCLBanker has the potential to expand globally, especially in the LATAM region.
The cybersecurity landscape has recently been hit with a new banking trojan named TCLBanker, which is spreading rapidly across various platforms, including WhatsApp and Outlook. According to Elastic Security Labs, the malware specifically targets 59 different banking, fintech, and cryptocurrency platforms, providing cybercriminals with a wide range of features that are perfect for stealing sensitive information.
TCLBanker makes use of a trojanized MSI installer for Logitech AI Prompt Builder as its primary method of infection. This means that the user will likely not detect it at first glance, as it masquerades as a legitimate application. However, the malware is extremely well-protected against analysis and debugging. Elastic Security Labs reported that it features environment-dependent payload decryption routines that fail in sandboxes or analyst environments.
This banking trojan also includes self-spreading worm modules for WhatsApp and Outlook, allowing the malicious code to automatically infect new victims. This makes TCLBanker a highly contagious threat, as it can spread rapidly across different platforms without requiring any direct intervention from the user.
The malware's capabilities are extensive, including live screen streaming, screenshot capturing, keylogging, clipboard hijacking, shell command execution, window management, file system access, process enumeration, remote mouse/keyboard control, and more. These features provide the operators with complete control over the victim's system, allowing them to steal sensitive information, disrupt operations, or even completely take over the system.
In addition to its extensive capabilities, TCLBanker also includes a sophisticated overlay system that can push fake credential prompts, PIN keypads, phone-number collection forms, fake "bank support" waiting screens, fake Windows Update screens, and various other fake progress screens. This is designed to make it even more difficult for the victim to detect the malicious activity.
Furthermore, TCLBanker uses a WPF-based overlay system that can mask parts of real applications, while only showing selected portions to the user. This feature provides further protection for the malware, making it even harder to detect and analyze.
Another interesting aspect of TCLBanker is its ability to propagate autonomously to contacts linked to the primary victim. The malware searches Chromium browser profiles for authenticated WhatsApp Web IndexedDB data, and launches a hidden Chromium instance that hijacks the victim's account. It then harvests contacts, filters for Brazilian numbers, and sends them spam messages from the victim's account, leading them to TCLBanker distribution platforms.
The malware also abuses Microsoft Outlook through COM automation, launching the app, harvesting contacts and sender addresses, and sending phishing emails through the victim's email account.
Elastic Security Labs concludes that TCLBanker is a characteristic example of the evolution of LATAM malware, offering lower-tier cybercriminals features that were once only available in highly sophisticated tools. The researchers also warned that the threat has a high potential for expansion, as it is currently focused on Brazil and the LATAM region.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Banking-Trojan-TCLBanker-Spreads-Through-WhatsApp-and-Outlook-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-tclbanker-malware-self-spreads-over-whatsapp-and-outlook/
https://cyberinsider.com/new-tclbanker-malware-self-spreads-through-whatsapp-and-outlook/
https://www.forbes.com/sites/daveywinder/2026/04/04/whatsapp-attacks-microsoft-shares-warning-3-billion-users-must-heed/
Published: Thu May 7 18:14:50 2026 by llama3.2 3B Q4_K_M
