TCLBANKER Banking Trojan Targets Financial Platforms with Sophisticated Evasion Tactics
A newly identified banking trojan dubbed TCLBANKER is targeting 59 financial and cryptocurrency platforms using sophisticated DLL side-loading, anti-analysis evasion, and worm-like propagation via WhatsApp and Outlook.

A newly discovered banking trojan, identified as TCLBANKER, is actively targeting 59 financial, fintech, and cryptocurrency platforms. Tracked by Elastic Security Labs as REF3076, this malware is considered a significant evolution of the Maverick family, a threat previously linked to the Water Saci cluster The Hacker News.
The attack chain begins with a ZIP file containing a malicious MSI installer that abuses a legitimate, signed Logitech application, "Logi AI Prompt Builder." By utilizing DLL side-loading, the installer executes a malicious DLL named "screen_retriever_plugin.dll." This component acts as a sophisticated loader, featuring a "watchdog subsystem" designed to detect and evade security analysis tools, debuggers, and sandboxes The Hacker News.
To ensure it only infects intended targets, the malware performs rigorous environment checks. It verifies that the system language is set to Brazilian Portuguese and generates a unique environment hash based on system disk information and anti-debugging checks. If these conditions are not met—or if a debugger is detected—the malware fails to decrypt its primary payload and terminates execution. Furthermore, the loader actively disables Event Tracing for Windows (ETW) and removes usermode hooks from "ntdll.dll" to bypass endpoint security software The Hacker News.
Once the banking trojan is successfully deployed, it establishes persistence via a scheduled task and begins monitoring the victim's browser activity. Using UI Automation, the malware tracks the URLs in popular browsers like Chrome, Firefox, Edge, Brave, Opera, and Vivaldi. When a user visits a targeted financial site, the trojan initiates a WebSocket connection to a remote command-and-control server. This allows attackers to perform a wide range of malicious actions, including keylogging, screen streaming, file management, and the deployment of fake credential-stealing overlays The Hacker News.
The malware also includes a worming component designed to propagate the infection via WhatsApp Web and Microsoft Outlook. By hijacking authenticated browser sessions, the worm spreads malicious links to the victim's contacts, facilitating large-scale phishing campaigns. The trojan’s use of a WPF-based overlay framework allows it to present convincing fake Windows updates or credential prompts while remaining hidden from standard screen capture tools The Hacker News.
The emergence of TCLBANKER highlights a persistent trend of sophisticated banking malware targeting Brazilian users through highly evasive loaders and automated propagation methods. By leveraging signed software and multi-stage anti-analysis techniques, the operators behind REF3076 continue to refine their ability to bypass modern security defenses. Organizations should remain vigilant against suspicious MSI installers and monitor for unauthorized use of legitimate software components for DLL side-loading The Hacker News.