TCLBANKER Banking Trojan Expands Financial Malware Threat by Hijacking WhatsApp and Outlook Sessions for Large-Scale Financial Fraud Campaigns
Newly Identified Brazilian Banking Trojan Uses Worm-Like Propagation, Anti-Analysis Techniques, and Fake Financial Overlays to Target Banking, Fintech, and Cryptocurrency Platforms
Cybersecurity researchers have identified a new Brazilian banking trojan called TCLBANKER that targets dozens of banking, fintech, and cryptocurrency platforms through advanced malware delivery and social engineering techniques.
The malware campaign is being tracked as REF3076 and is believed to be connected to previous Brazilian banking malware operations associated with Maverick and the SORVEPOTEL worm ecosystem. Unlike traditional banking malware that focuses only on credential theft, TCLBANKER combines banking trojan capabilities with worm-like propagation through both WhatsApp Web and Microsoft Outlook.
Researchers observed that the malware abuses legitimate signed software and uses sophisticated anti-analysis protections to avoid detection. In addition, the campaign focuses heavily on Brazilian users and financial institutions, although the techniques used could easily evolve into broader international operations.
HOW THE ATTACK WORKS
The infection chain begins with a malicious ZIP archive containing an MSI installer. Inside the package, attackers abuse a legitimate signed Logitech application called Logi AI Prompt Builder to sideload a malicious DLL.
Once executed, the malicious DLL performs several stealth and evasion operations before launching the main banking trojan payload. The malware specifically checks whether it is running inside a virtual machine, sandbox, debugger, or analysis environment. If suspicious tools are detected, the malware intentionally fails to decrypt its payload and terminates execution.
The malware also validates that the infected system uses Brazilian Portuguese language settings before continuing its operations. This geographic targeting helps reduce exposure and detection outside the intended victim region.
ADVANCED MALWARE CAPABILITIES
After successful execution, TCLBANKER establishes persistence through scheduled tasks and begins communicating with remote command-and-control infrastructure. The malware then monitors browser activity to detect when victims access targeted banking or cryptocurrency platforms.
Key Capabilities Include
- Browser URL monitoring
- Credential theft overlays
- Remote desktop interaction
- Screen capture and streaming
- Clipboard manipulation
- Keylogging
- File and process management
- Fake update screens
- Remote command execution
The malware specifically targets major browsers including:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
- Brave
- Opera
- Vivaldi
Once a victim visits a targeted financial platform, the trojan activates fake credential-harvesting overlays designed to imitate legitimate banking workflows. These overlays may display fraudulent login prompts, fake progress bars, or even simulated Windows update screens to deceive users while credentials are stolen in the background.
WHATSAPP AND OUTLOOK WORM PROPAGATION
One of the most dangerous aspects of TCLBANKER is its ability to spread automatically through trusted communication channels.
WhatsApp Web Abuse
The malware hijacks authenticated WhatsApp Web sessions and uses automation frameworks to send phishing messages directly to victim contacts. Because the messages originate from legitimate user accounts, recipients are more likely to trust the malicious links or attachments.
The worm component avoids group chats and filters contacts to focus primarily on Brazilian numbers, improving operational efficiency and reducing unnecessary exposure.
Outlook Email Propagation
In addition, TCLBANKER abuses locally installed Microsoft Outlook clients to distribute phishing emails directly from the victim’s own mailbox.
This technique is especially dangerous because:
- Emails appear legitimate to recipients
- Messages originate from trusted contacts
- Traditional email reputation systems may fail to detect abuse
- Enterprise filtering solutions may struggle to identify malicious intent
Researchers noted that the malware can reportedly distribute phishing messages to thousands of contacts automatically, significantly amplifying infection rates.
TARGETS AND FINANCIAL RISKS
TCLBANKER reportedly targets 59 banking, fintech, and cryptocurrency services. Although the campaign currently focuses on Brazilian organizations and users, its modular architecture and propagation mechanisms suggest the malware could expand internationally over time.
Potential Risks Include
- Banking credential theft
- Cryptocurrency wallet compromise
- Financial fraud
- Account takeover
- Unauthorized transactions
- Enterprise mailbox abuse
- Internal phishing campaigns
- Large-scale malware propagation
Additionally, because the malware abuses legitimate user sessions and trusted communication channels, detection becomes significantly more difficult for traditional security controls.
WHY THIS MALWARE IS SIGNIFICANT
TCLBANKER reflects a growing evolution within modern banking malware ecosystems. Historically, advanced techniques such as environment-aware payload decryption, direct syscall usage, and live operator-controlled overlays were mainly associated with highly sophisticated threat groups.
Now, however, these capabilities are increasingly appearing in financially motivated malware campaigns. As a result, commodity malware families are becoming more stealthy, adaptive, and operationally mature.
The combination of banking fraud functionality with WhatsApp and Outlook worm propagation also demonstrates how attackers are blending social engineering with automated malware delivery to increase infection success rates.
DEFENSIVE RECOMMENDATIONS
Organizations and individual users should take proactive steps to reduce exposure to banking trojans and communication-platform abuse.
Recommended Security Measures
1. Monitor Email and Messaging Activity
Investigate unusual outbound messages, phishing-like behavior, or abnormal communication spikes originating from employee accounts.
2. Restrict Execution of Untrusted Installers
Block unauthorized MSI installers and unsigned DLL execution through endpoint protection and application control policies.
3. Harden Endpoint Security
Deploy EDR/XDR solutions capable of detecting DLL sideloading, anti-analysis behavior, and browser credential theft techniques.
4. Use Multi-Factor Authentication (MFA)
Enable MFA across banking, email, and enterprise systems to reduce the effectiveness of credential theft.
5. Train Users Against Social Engineering
Educate employees and users about phishing attempts delivered through messaging platforms and trusted contacts.
FINAL ANALYSIS
TCLBANKER demonstrates how modern financial malware campaigns are evolving beyond simple credential theft into multi-stage, socially aware attack ecosystems. By combining advanced banking trojan features with automated propagation through trusted communication platforms like WhatsApp and Outlook, attackers can scale infections rapidly while bypassing traditional security defenses.
As cybercriminal groups continue to refine malware delivery and deception techniques, organizations must strengthen endpoint visibility, communication monitoring, and identity protection strategies to reduce the risk of large-scale financial compromise.