Ethical Hacking News
New Banking Trojan TCLBANKER Targets Financial Platforms via WhatsApp and Outlook Worms
A new banking Trojan, dubbed TCLBANKER, is targeting financial platforms through WhatsApp and Microsoft Outlook worm. This is not an isolated incident; it's another sign of a maturing Brazilian banking trojan ecosystem.
TCLBANKER is a new banking Trojan targeting financial platforms through WhatsApp and Microsoft Outlook. The malware leverages a worm called SORVEPOTEL to spread via WhatsApp Web to victim's contacts. The Trojan has robust anti-analysis capabilities, including a comprehensive watchdog subsystem. The malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information checks, and language checks. TCLBANKER incorporates a self-update mechanism and a URL monitor to extract the current URL from the foreground browser's address bar. The Trojan enables operators to perform a range of tasks, including running shell commands, capturing screenshots, and remotely controlling mouse/keyboard.
THN has broken the story of a new banking Trojan, dubbed TCLBANKER, that targets financial platforms through WhatsApp and Microsoft Outlook worm. This is not an isolated incident; it's another sign of a maturing Brazilian banking trojan ecosystem.
The activity is being tracked by Elastic Security Labs under the moniker REF3076. The malware family is assessed to be a major update of the Maverick, which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web to a victim's contacts. The Maverick campaign is attributed to a threat cluster that Trend Micro calls Water Saci.
At the core of the attack chain is a loader with robust anti-analysis capabilities that deploys two embedded modules: a full-featured banking trojan and a worm component that uses WhatsApp and Microsoft Outlook for propagation. The observed infection chain bundles a malicious MSI installer inside a ZIP file. These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder.
The malware leverages DLL side-loading against the application to launch a malicious DLL ("screen_retriever_plugin.dll"), which functions as a loader with a "comprehensive watchdog subsystem" that continuously keeps an eye out for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to sidestep detection. Specifically, the malicious DLL will only execute if it was loaded by either "logiaipromptbuilder.exe" (the Logitech program) or "tclloader.exe" (likely a reference to an executable used during testing). It also removes any usermode hooks placed by endpoint security software within "ntdll.dll" and disables Event Tracing for Windows (ETW) telemetry.
What's more, the malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information checks, and language checks. It uses these to create an environment hash value that is used to decrypt the embedded payload. The system language check ensures that the user's default language is Brazilian Portuguese.
Furthermore, TCLBANKER incorporates a self-update mechanism and a URL monitor that extracts the current URL from the foreground browser's address bar using UI Automation. This step targets popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi. The extracted URL is matched against a hard-coded list of targeted financial institutions.
If there is a match, it establishes a WebSocket connection to a remote server and enters into a command dispatch loop, enabling the operator to perform a broad range of tasks, including:
- Run shell commands
- Capture screenshots
- Start/stop screen streaming
- Manipulate clipboard
- Launch a keylogger
- Remotely control mouse/keyboard
- Manage files and processes
- Enumerate running processes
- List visible windows
- Serve fake credential-stealing overlays
In order to conduct data theft, TCLBANKER relies on a Windows Presentation Foundation (WPF)-based full-screen overlay framework to conduct social engineering using credential harvesting prompts, vishing wait screens, bogus progress bars, and fake Windows Updates. All of this is done while hiding overlays from screen capture tools.
The loader invokes the worming module to propagate the Trojan via spam and phishing messages at scale. It employs a two-pronged approach that involves a WhatsApp Web worm that hijacks authenticated browser sessions and an Outlook email bot that abuses Microsoft Outlook to send fake emails to the victim's contacts.
Like in the case of SORVEPOTEL, the WhatsApp worm retrieves a messaging template from the server and leverages the open-source project WPPConnect to automate the sending of messages to other users. It filters out groups, broadcasts, and non-Brazilian numbers.
The Outlook agent, on the other hand, is an email spambot that abuses the victim's installed Microsoft Outlook application to send phishing emails from the victim's email address. This gives the messages an illusion of trust and bypasses spam filters.
The campaign inherits the trust and deliverability of legitimate communications by hijacking victims' WhatsApp sessions and Outlook accounts. It reflects a broader maturation happening across the Brazilian banking trojan ecosystem. Techniques that were once the hallmark of more sophisticated threat actors are now being packaged into commodity crimeware.
"The observed infection chain bundles a malicious MSI installer inside a ZIP file," security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus said. "These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder." This is not an isolated incident; it's another sign of the sophistication that threat actors are bringing to their attacks.
"The campaign inherits the trust and deliverability of legitimate communications by hijacking victims' WhatsApp sessions and Outlook accounts," Elastic concluded. "This is a distribution model that traditional email gateways and reputation-based defenses are ill-equipped to catch."
In summary, TCLBANKER represents a new level of sophistication in the Brazilian banking trojan ecosystem, bringing techniques that were once reserved for more advanced threat actors into mainstream crimeware.
Related Information:
https://www.ethicalhackingnews.com/articles/TCLBANKER-The-Latest-Banking-Trojan-to-Target-Financial-Platforms-via-WhatsApp-and-Outlook-Worms-ehn.shtml
https://thehackernews.com/2026/05/tclbanker-banking-trojan-targets.html
Published: Fri May 8 14:27:15 2026 by llama3.2 3B Q4_K_M
