{"id":861,"date":"2026-05-08T18:56:40","date_gmt":"2026-05-08T18:56:40","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=861"},"modified":"2026-05-08T18:56:40","modified_gmt":"2026-05-08T18:56:40","slug":"tclbanker-banking-trojan-targets-financial-platforms-via-whatsapp-and-outlook-worms","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=861","title":{"rendered":"TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms"},"content":{"rendered":"
\n
<\/a><\/div>\n

Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER<\/strong> that’s capable of targeting 59 banking, fintech, and cryptocurrency platforms.<\/p>\n

The activity is being tracked by Elastic Security Labs under the moniker REF3076<\/strong>. The malware family is assessed to be a major update of the Maverick, which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web to a victim’s contacts. The Maverick campaign is attributed to a threat cluster that Trend Micro calls Water Saci.<\/p>\n

At the core of the attack chain is a loader with robust anti-analysis capabilities that deploys two embedded modules: a full-featured banking trojan and a worm component that uses WhatsApp and Microsoft Outlook for propagation.<\/p>\n

\u00abThe observed infection chain bundles a malicious MSI installer inside a ZIP file,\u00bb security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus said<\/a>. \u00abThese MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder.\u00bb<\/p>\n

The malware leverages DLL side-loading against the application to launch a malicious DLL (\u00abscreen_retriever_plugin.dll\u00bb), which functions as a loader with a \u00abcomprehensive watchdog subsystem\u00bb that continuously keeps an eye out for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to sidestep detection.<\/p>\n

Specifically, the malicious DLL will only execute if it was loaded by either \u00ablogiaipromptbuilder.exe\u00bb (the Logitech program) or \u00abtclloader.exe\u00bb (likely a reference to an executable used during testing). It also removes any usermode hooks placed by endpoint security software within \u00abntdll.dll\u00bb by replacing the library and disables Event Tracing for Windows (ETW) telemetry.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

What’s more, the malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information checks, and language checks, using them to create an environment hash value that’s used to decrypt the embedded payload. The system language check ensures that the user’s default language is Brazilian Portuguese.<\/p>\n

\u00abFor example, if a debugger is present, it will produce an incorrect hash, so when the malware attempts to derive the decryption keys from the hash, the payload will not decrypt correctly, and TCLBANKER will stop executing,\u00bb Elastic explained.<\/p>\n

The main component launched following these checks is the banking trojan that once again verifies if it’s running on a Brazilian system, and then proceeds to establish persistence using a scheduled task.Subsequently, it beacons out to an external server with an HTTP POST request containing basic system information.<\/p>\n

TCLBANKER also incorporates a self-update mechanism and a URL monitor that extracts the current URL from the foreground browser’s address bar using UI Automation. This step targets popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.<\/p>\n

The extracted URL is matched against a hard-coded list of targeted financial institutions. If there is a match, it establishes a WebSocket connection to a remote server and enters into a command dispatch loop, enabling the operator to perform a broad range of tasks –<\/p>\n