MalwareUsed by 1 actor

TCLBANKER

TCLBANKER is a Brazilian banking trojan tracked by Elastic Security Labs as campaign REF3076 and assessed as a major update of the Maverick/SORVEPOTEL malware family. It targets 59 banking, fintech, and cryptocurrency platforms and appears focused on Brazilian victims, using geofencing and environment validation such as Brazilian Portuguese language, locale, timezone, keyboard layout, and other host characteristics before decrypting and launching its payload.

Observed delivery uses a malicious ZIP archive containing a trojanized MSI installer that abuses Logitech’s signed Logi AI Prompt Builder application for DLL side-loading. A malicious DLL, screen_retriever_plugin.dll, is loaded in the context of the legitimate Logitech process. The loader includes anti-analysis and anti-debugging checks, anti-VM logic, watchdog functionality, ETW patching, and removal of user-mode hooks from ntdll.dll. It derives an environment-dependent decryption key so payload execution fails in non-target or analysis environments.

After validation, TCLBANKER launches a banking trojan component that establishes persistence via a scheduled task and sends installation data to remote infrastructure. It monitors browser activity, including Chrome, Firefox, Edge, Brave, Opera, and Vivaldi, by extracting the active URL through UI Automation and comparing it against a hard-coded list of targeted institutions. When a target site is detected, it opens a WebSocket C2 session and supports operator actions including shell command execution, screenshot capture, screen streaming, keylogging, clipboard manipulation, remote mouse and keyboard control, file and process management, process enumeration, window listing, and forced reboot.

A notable capability is its Windows Presentation Foundation full-screen overlay framework used for credential theft and fraud enablement. The overlays imitate banking prompts, PIN entry screens, vishing wait screens, fake progress bars, and fake Windows Update screens. The malware can freeze the desktop, block shortcuts such as the Windows key and Escape, kill Task Manager, and use screen-capture-resistant overlay behavior to hinder user response and analysis.

TCLBANKER also includes worm-like propagation modules for WhatsApp and Microsoft Outlook. The WhatsApp component hijacks authenticated WhatsApp Web sessions by cloning browser profile or IndexedDB session data, launching a hidden Chromium instance, and automating message sending to contacts, including filtering for Brazilian numbers. The Outlook component uses COM automation to access Outlook in the background, harvest contacts and sender addresses, and send phishing emails from the victim’s legitimate account, increasing trust and potentially bypassing email security controls.

Associated infrastructure reported in the content includes campanha1-api.ef971a42.workers.dev, documents.ef971a42.workers.dev, and mxtestacionamentos[.]com, along with phishing domains arquivos-omie[.]com, documentos-online[.]com, afonsoferragista[.]com, doccompartilhe[.]com, and recebamais[.]com. Reported artifacts include the ZIP file XXL_21042026-181516.zip with SHA-256 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394 and screen_retriever_plugin.dll samples with SHA-256 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626, 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059, and 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40. Trend Micro’s Water Saci cluster is mentioned in relation to the Maverick ecosystem, but direct attribution of TCLBANKER itself is not established in the provided content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

REF3076

Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that's capable of targeting 59 banking, fintech, and cryptocurrency platforms.

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

28 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1583.007ServerlessEvidence1

All of this malicious activity is managed using serverless cloud tools such as Cloudflare Workers. By using legitimate cloud services, the attackers can quickly change their servers and avoid being blocked by simple network defenses.

Initial Access

2 techniques

T1566PhishingEvidence2

It then opens a hidden browser window, bypasses bot detection, and sends phishing messages and the malware file directly to the victim’s contacts.

T1566.003Spearphishing via ServiceEvidence2

The first worm module targets WhatsApp Web... and sends phishing messages and the malware file directly to the victim’s contacts.

Execution

5 techniques

T1053.005Scheduled TaskEvidence1

the banking trojan ... proceeds to establish persistence using a scheduled task

T1059Command and Scripting InterpreterEvidence1

The capabilities given to the operators include: ... Shell command execution ...

T1059.003Windows Command ShellEvidence1

enabling the operator to perform a broad range of tasks - Run shell commands

T1559.001Component Object ModelEvidence2

It silently opens Microsoft Outlook in the background and uses Windows COM automation to take complete control of the victim’s email account.

T1574.001DLLEvidence1

These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder. The malware leverages DLL side-loading against the application to launch a malicious DLL ("screen_retriever_plugin.dll")

Persistence

1 technique

T1053.005Scheduled TaskEvidence1

the banking trojan ... proceeds to establish persistence using a scheduled task

Privilege Escalation

1 technique

T1053.005Scheduled TaskEvidence1

the banking trojan ... proceeds to establish persistence using a scheduled task

Stealth

5 techniques

T1036MasqueradingEvidence2

The observed infection chain bundles a malicious MSI installer inside a ZIP file. These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder.

T1497Virtualization/Sandbox EvasionEvidence3

Before it fully unpacks, it checks whether the computer is running in a security sandbox. It looks for debugging tools, virtual machines, and specific antivirus software.

T1497.001System ChecksEvidence3

It also checks the system language and time zone to ensure the victim is actually located in Brazil. If the environment does not match a real Brazilian user, the payload refuses to decrypt.

T1574.001DLLEvidence1

T1622Debugger EvasionEvidence2

the loader with a "comprehensive watchdog subsystem" continuously keeps an eye out for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to sidestep detection

Credential Access

3 techniques

T1056Input CaptureEvidence3

The user is forced to enter their security codes or personal identification numbers directly into the hacker’s fake screen.

T1056.001KeyloggingEvidence2

enabling the operator to perform a broad range of tasks - ... Launch a keylogger

T1539Steal Web Session CookieEvidence1

Instead of asking the user to scan a new QR code, the malware secretly clones the saved session data.

Discovery

6 techniques

T1057Process DiscoveryEvidence2

enabling the operator to perform a broad range of tasks - Manage files and processes Enumerate running processes

T1082System Information DiscoveryEvidence1

it beacons out to an external server with an HTTP POST request containing basic system information

T1083File and Directory DiscoveryEvidence2

enabling the operator to perform a broad range of tasks - Manage files and processes Enumerate running processes List visible windows

T1497Virtualization/Sandbox EvasionEvidence3

Before it fully unpacks, it checks whether the computer is running in a security sandbox. It looks for debugging tools, virtual machines, and specific antivirus software.

T1497.001System ChecksEvidence3

It also checks the system language and time zone to ensure the victim is actually located in Brazil. If the environment does not match a real Brazilian user, the payload refuses to decrypt.

T1622Debugger EvasionEvidence2

Collection

8 techniques

T1005Data from Local SystemEvidence1

a URL monitor that extracts the current URL from the foreground browser's address bar using UI Automation

T1056Input CaptureEvidence3

The user is forced to enter their security codes or personal identification numbers directly into the hacker’s fake screen.

T1056.001KeyloggingEvidence2

enabling the operator to perform a broad range of tasks - ... Launch a keylogger

T1113Screen CaptureEvidence2

enabling the operator to perform a broad range of tasks - Capture screenshots Start/stop screen streaming

T1114Email CollectionEvidence2

The bot searches the address book and inbox to harvest contacts.

T1115Clipboard DataEvidence2

enabling the operator to perform a broad range of tasks - Manipulate clipboard

T1185Browser Session HijackingEvidence3

The malware scans the computer for web browsers such as Chrome or Edge and looks for active WhatsApp accounts.

T1560Archive Collected DataEvidence1

The attack begins when a user downloads a malicious ZIP file. Inside this archive is an installer that abuses a real, digitally signed Logitech program called Logi AI Prompt Builder.

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence2

When a match is found, the malware connects to a remote server.

T1071.001Web ProtocolsEvidence2

Subsequently, it beacons out to an external server with an HTTP POST request containing basic system information.

T1219Remote Access ToolsEvidence1

enabling the operator to perform a broad range of tasks - ... Remotely control mouse/keyboard

Other

1 technique

T1562.001Disable or Modify ToolsEvidence2

It also removes any usermode hooks placed by endpoint security software within "ntdll.dll" by replacing the library and disables Event Tracing for Windows (ETW) telemetry.

INDICATORS OF COMPROMISE

IOCs tracked for this family

19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

5 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

5 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app2 months ago

hash.sha256●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cyber security newsNews

May 9, 2026

TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules

Brazilian banking trojan that uses DLL side-loading via a legitimate signed Logitech application to load a malicious component, performs anti-sandbox and anti-analysis checks, verifies the victim is in Brazil, monitors browsers for targeted banking, fintech, and cryptocurrency sites, and steals credentials/PINs through full-screen phishing overlays. It also includes worm-like propagation through WhatsApp Web session cloning and Microsoft Outlook COM automation, while using Cloudflare Workers and related cloud infrastructure for C2 and file hosting.

the hacker newsNews

May 8, 2026

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

Brazilian banking trojan with a loader and worming components. It uses anti-analysis and environment-gated payload decryption, establishes persistence, beacons to a remote server, monitors browser URLs for targeted financial institutions, and enables remote operator actions including shell command execution, screenshots, screen streaming, clipboard manipulation, keylogging, mouse/keyboard control, file and process management, and fake credential-stealing overlays. It also propagates via WhatsApp Web and Microsoft Outlook phishing/spam messages.

bleeping computerNews

May 7, 2026

New TCLBanker malware self-spreads over WhatsApp and Outlook

Banking trojan focused on stealing financial and account data from banking, fintech, and cryptocurrency platforms. It uses DLL side-loading, anti-analysis protections, browser monitoring, WebSocket-based C2 communications, remote control features, credential-harvesting overlays, and self-propagating worm modules via WhatsApp Web and Microsoft Outlook.

elastic security labsNews

Apr 11, 2026

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook - Elastic Security Labs

Brazilian banking trojan delivered via a malicious MSI and DLL sideloading chain. It uses a heavily anti-analysis loader, environment-gated payload decryption, ETW patching, watchdog protections, browser URL monitoring via UI Automation, WebSocket C2, WPF full-screen overlays for operator-driven social engineering, persistence via scheduled task, self-update capability, and embedded worm modules for propagation through WhatsApp and Outlook.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching19

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping28

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.