New TCLBanker Malware Self-Spreads Over WhatsApp and Outlook
A new banking trojan named TCLBanker targets 59 financial platforms and uses a trojanized Logitech installer, with worm modules that hijack WhatsApp and Outlook to spread autonomously.
A new banking trojan named TCLBanker has been discovered by Elastic Security Labs, targeting 59 banking, fintech, and cryptocurrency platforms. The malware is distributed via a trojanized MSI installer for Logitech AI Prompt Builder and uses DLL side-loading to evade detection. Once installed, it establishes persistence and monitors browser activity to steal credentials and perform remote control operations.
TCLBanker is a major evolution of the older Maverick/Sorvepotel malware family. It currently appears focused on Brazil, checking timezone, keyboard layout, and locale, but researchers warn that LATAM malware often expands its targeting scope. The malware is heavily protected against analysis, featuring environment-dependent payload decryption and a watchdog thread that hunts for debugging tools like x64dbg, IDA, and Frida.
The banking module uses Windows UI Automation APIs to monitor the browser address bar every second. When a victim visits a targeted platform, it establishes a WebSocket session with the command-and-control (C2) server, sending victim and system information. Operators then gain capabilities including live screen streaming, keylogging, clipboard hijacking, shell command execution, and remote mouse/keyboard control. The malware also kills Task Manager during active sessions to hide malicious activity.
To support data theft, TCLBanker uses a WPF-based overlay system that displays fake credential prompts, PIN keypads, phone-number collection forms, fake bank support screens, and fake Windows Update screens. These overlays can mask parts of real applications, tricking victims into entering sensitive information.
A distinctive feature of TCLBanker is its self-spreading worm modules for WhatsApp and Outlook. The malware searches Chromium browser profiles for authenticated WhatsApp Web IndexedDB data, launches a hidden Chromium instance, and hijacks the victim's account. It then harvests contacts, filters for Brazilian numbers, and sends spam messages containing links to TCLBanker distribution platforms. Similarly, the Outlook module uses COM automation to launch the app, harvest contacts, and send phishing emails through the victim's email account.
Elastic Security Labs notes that while the loader is feature-rich, code artifacts suggest AI may have been used in its development. The researchers conclude that TCLBanker represents a characteristic example of LATAM malware evolution, offering lower-tier cybercriminals capabilities once reserved for sophisticated tools. Organizations and individuals in Brazil should be particularly vigilant, and users are advised to avoid downloading software from untrusted sources and to enable multi-factor authentication on messaging and email accounts.