TCLBANKER Banking Trojan Uses Logitech Sideloading and Self-Spreads via WhatsApp
Elastic Security Labs disclosed TCLBANKER, a Brazilian banking trojan assessed as a major evolution of the MAVERICK/SORVEPOTEL family, delivered through a trojanized MSI installer for Logitech's signed Logi AI Prompt Builder and executed via DLL sideloading. The malware targets 59 Brazilian banking, fintech, and cryptocurrency services, using anti-analysis checks, environment-gated payload decryption, ETW patching, watchdog functions, and .NET Reactor-protected modules to evade detection and maintain execution. Once active, it monitors browser activity through UI Automation and opens a WebSocket command-and-control channel when victims visit monitored financial sites.
The malware's fraud tooling includes a WPF full-screen overlay framework that can present fake login prompts, counterfeit Windows Update screens, vishing wait pages, and screen-capture-resistant overlays to steal credentials and support operator-driven account takeover. A separate worm component propagates through WhatsApp Web by hijacking authenticated browser sessions and through Microsoft Outlook by using COM automation to send phishing emails from the victim's own account. Researchers said the campaign relies heavily on Cloudflare Workers for payload hosting and C2, and appears to be in an early operational stage based on exposed developer artifacts and unfinished phishing infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers reveal TCLBANKER spreads via WhatsApp and Outlook worms
Elastic disclosed that TCLBANKER includes worm modules that abuse authenticated WhatsApp Web sessions and victims’ Outlook accounts to send phishing or spam messages to contacts. The malware is delivered via a trojanized Logitech AI Prompt Builder MSI using DLL sideloading and includes anti-analysis, browser monitoring, and overlay-based credential theft features.
Elastic identifies TCLBANKER banking trojan campaign REF3076
Elastic Security Labs reported a new Brazilian banking trojan named TCLBANKER and tracked the activity as campaign REF3076. The researchers assessed it as a major update of the MAVERICK/SORVEPOTEL malware family targeting 59 Brazilian banking, fintech, and cryptocurrency domains.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules
cybersecuritynews.com
Open sourceTCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms
thehackernews.com
Open sourceNew TCLBanker malware self-spreads over WhatsApp and Outlook
bleepingcomputer.com
Open sourceTCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook - Elastic Security Labs
elastic.co
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Maverick Banking Trojan Spreads via WhatsApp and Steals Financial Credentials
A new banking Trojan named Maverick has been identified targeting users in Brazil through a sophisticated, fileless malware campaign. The infection chain begins with the distribution of malicious ZIP files containing LNK shortcuts, which are sent via WhatsApp messages. These LNK files are not blocked by WhatsApp, allowing the malware to propagate widely among Brazilian users. Once a device is infected, the Maverick Trojan leverages the open-source WPPConnect project to automate the sending of further malicious messages from the victim’s WhatsApp Web account, effectively turning compromised devices into worms that spread the malware to additional contacts. The Trojan is highly targeted, checking the infected system’s time zone, language, and regional settings to ensure it only installs on Brazilian machines. Upon successful infection, Maverick operates entirely in memory, minimizing disk activity and making detection more difficult. The malware is modular, using PowerShell and .NET components to execute its payloads. Its primary objective is to steal banking and UPI credentials by monitoring browser activity, taking screenshots, logging keystrokes, and overlaying phishing pages when users access banking websites. Maverick can also control the mouse, block the screen during sensitive operations, and terminate processes to evade detection. The campaign specifically targets 26 Brazilian banks, 6 cryptocurrency exchanges, and a major payment platform, indicating a broad financial focus. The command-and-control infrastructure is designed to verify that downloads originate from the malware itself, adding another layer of evasion. Researchers have noted significant code overlap between Maverick and the previously known Coyote Trojan, but Maverick is considered a distinct and new threat. The use of WhatsApp as a distribution vector is particularly concerning, as it exploits the trust between contacts and the widespread use of the messaging platform in Brazil. The fileless nature of the attack chain, combined with the use of legitimate open-source tools, complicates detection and remediation efforts. Security experts recommend heightened vigilance for suspicious WhatsApp messages containing attachments, especially those in Portuguese or referencing financial matters. Organizations and individuals are urged to update their security solutions and educate users about the risks of opening unsolicited files, even from known contacts. The emergence of Maverick underscores the evolving tactics of cybercriminals targeting the Brazilian financial sector and highlights the need for robust, multi-layered defenses.
Mar 21, 2026
Eternidade Stealer Banking Trojan Propagated via WhatsApp Worm in Brazil
Cybersecurity researchers have identified a new campaign targeting Brazilian users in which the Eternidade Stealer, a Delphi-based banking trojan, is distributed through a WhatsApp worm. The attack leverages social engineering and WhatsApp hijacking, with the threat actor deploying a Python script—marking a shift from previous PowerShell-based methods—to hijack WhatsApp Web sessions and spread malicious attachments. The campaign uses an obfuscated Visual Basic Script as the initial infection vector, which then drops a batch script responsible for delivering two payloads, including the Python-based worm. The malware utilizes the Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the attacker to update C2 infrastructure as needed. This activity is part of a broader trend in Brazil, where WhatsApp's ubiquity makes it a favored vector for distributing banking trojans and information stealers. The use of Delphi for malware development remains prevalent in Latin America due to its technical efficiency and regional familiarity. Researchers note that this campaign represents an evolution in tactics, building on previous attacks such as Water Saci, and highlights the increasing sophistication of social engineering and malware propagation techniques in the region's cybercrime ecosystem.
Mar 21, 2026
JanelaRAT Banking Trojan Expands Attacks on Latin American Financial Users
Researchers reported that **JanelaRAT**, a Latin America-focused banking trojan derived from **BX RAT**, is actively targeting online banking and cryptocurrency users, with the heaviest activity in **Brazil** and **Mexico** and additional campaigns observed in **Chile** and **Colombia**. Kaspersky said it recorded **14,739 detections in Brazil** and **11,695 in Mexico** during 2025, as the malware continued to evolve from earlier VBScript-and-ZIP delivery chains to newer phishing-led infections using **MSI droppers**, **DLL sideloading**, obfuscated **.NET** payloads, and persistence through **Startup-folder LNK files**. Recent activity also included deployment of a malicious Chromium extension disguised as legitimate software. Once installed, JanelaRAT monitors browser and window titles for hard-coded banking and financial targets, then opens interactive **TCP** and **HTTP** command-and-control channels to support screenshots, keylogging, input injection, cursor control, remote command execution, and session hijacking. The malware uses encrypted strings, anti-analysis checks, daily rotating dynamic DNS infrastructure, and user inactivity monitoring to evade detection and help operators time fraudulent transactions. A notable feature is its overlay system, which displays fake banking prompts and Windows update screens to steal credentials and **MFA** tokens while suppressing user interaction.
Apr 22, 2026