TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms Ravie Lakshmanan May 08, 2026 Malware / Threat Intelligence Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that's capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076 .
The malware family is assessed to be a major update of the Maverick family, which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web to a victim's contacts. The Maverick campaign is attributed to a threat cluster that Trend Micro calls Water Saci. At the core of the attack chain is a loader with robust anti-analysis capabilities that deploys two embedded modules: a full-featured banking trojan and a worm component that uses WhatsApp and Microsoft Outlook for propagation. "The observed infection chain bundles a malicious MSI installer inside a ZIP file," security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus said . "These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder." The malware leverages DLL side-loading against the application to launch a malicious DLL ("screen_retriever_plugin.dll"), which functions as a loader with a "comprehensive watchdog subsystem" that continuously keeps an eye out for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to sidestep detection.
Specifically, the malicious DLL will only execute if it was loaded by either "logiaipromptbuilder.exe" (the Logitech program) or "tclloader.exe" (likely a reference to an executable used during testing). It also removes any usermode hooks placed by endpoint security software within "ntdll.dll" by replacing the library and disables Event Tracing for Windows (ETW) telemetry. What's more, the malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information checks, and language checks, using them to create an environment hash value that's used to decrypt the embedded payload.
The system language check ensures that the user's default language is Brazilian Portuguese. "For example, if a debugger is present, it will produce an incorrect hash, so when the malware attempts to derive the decryption keys from the hash, the payload will not decrypt correctly, and TCLBANKER will stop executing," Elastic explained. The main component launched following these checks is the banking trojan that once again verifies if it's running on a Brazilian system, and then proceeds to establish persistence using a scheduled task.
Subsequently, it beacons out to an external server with an HTTP POST request containing basic system information. TCLBANKER also incorporates a self-update mechanism and a URL monitor that extracts the current URL from the foreground browser's address bar using UI Automation . This step targets popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi. The extracted URL is matched against a hard-coded list of targeted financial institutions.
If there is a match, it establishes a WebSocket connection to a remote server and enters into a command dispatch loop, enabling the operator to perform a broad range of tasks - Run shell commands Capture screenshots Start/stop screen streaming Manipulate clipboard Launch a keylogger Remotely control mouse/keyboard Manage files and processes Enumerate running processes List visible windows Serve fake credential-stealing overlays To conduct data theft, TCLBANKER relies on a Windows Presentation Foundation (WPF)-based full-screen overlay framework to conduct social engineering using credential harvesting prompts, vishing wait screens, bogus progress bars, and fake Windows Updates, all while hiding overlays from screen capture tools.
In tandem, the loader invokes the worming module to propagate the trojan via spam and phishing messages at scale. It employs a two-pronged approach that involves a WhatsApp Web worm that hijacks authenticated browser sessions and an Outlook email bot that abuses Microsoft Outlook to send fake emails to the victim's contacts. Like in the case of SORVEPOTEL , the WhatsApp worm retrieves a messaging template from the server and leverages the open-source project WPPConnect to automate the sending of messages to other users, while filtering out groups, broadcasts, and non-Brazilian numbers.
The Outlook agent, on the other hand, is an email spambot that abuses the victim's installed Microsoft Outlook application to send phishing emails from the victim's email address, thereby bypassing spam filters and giving the messages an illusion of trust. "TCLBANKER hijacks a victim's WhatsApp session and Outlook account to spam up to 3,000 contacts with the trojanized installer, this sends malware from the victim's own accounts, through their own contacts, using legitimate infrastructure," an Elastic spokesperson told The Hacker News.
Traditional email gateways and reputation-based defenses are essentially blind to it. REF3076 appears to be in early operational stages, with debug logging paths, test process names, and an incomplete phishing site present in the code. This indicates the campaign is still being fleshed out and could further evolve over time. Elastic Security Labs told The Hacker News that REF3076 and Water Saci are the same threat actor, citing a "multitude of converging elements," including infrastructure and functionality overlaps between TCLBANKER and MAVERICK/SORVEPOTEL. "First, infrastructure.
A TCLBANKER C2 [command-and-control] domain previously shared a single Brazilian-hosted IP with both a REF3076 phishing domain and a known SORVEPOTEL/MAVERICK domain documented by Trend Micro," Elastic said. "This results in three C2 domains, two named activity clusters, and one IP address." "Second, the implant. TCLBANKER’s list of 59 Brazilian banking, fintech, and crypto targets, and the internal group IDs the operator uses to route them, overlap directly with the target configuration from MAVERICK/SORVEPOTEL, with TCLBANKER carrying an updated superset.
Those group IDs are internal bookkeeping; they follow a development team." The third aspect that ties them together is the same WhatsApp Web hijacking technique, the Brazil-only execution gating, the browser-monitoring approach to detecting banking sessions, and the use of the same backdoor command set carried forward into TCLBANKER's updated protocol. Where TCLBANKER differs is through capabilities, such as Logitech-signed DLL sideloading, a Cloudflare Workers C2 backend, a screen-capture-immune overlay framework, and the introduction of an Outlook email worm alongside the WhatsApp distribution channel. "TCLBANKER reflects a broader maturation happening across the Brazilian banking trojan ecosystem," Elastic concluded. "Techniques that were once the hallmark of more sophisticated threat actors: environment-gated payload decryption, direct syscall generation, real-time social engineering orchestration over WebSocket, are now being packaged into commodity crimeware." "The campaign inherits the trust and deliverability of legitimate communications by hijacking victims' WhatsApp sessions and Outlook accounts.
This is a distribution model that traditional email gateways and reputation-based defenses are ill-equipped to catch." (The story was updated after publication on May 16, 2026, to include additional insights from Elastic Security Labs.) Found this article interesting? Follow us on Google News , Twitter LinkedIn to read more exclusive content we post. Tweet Share Share Share banking security , banking Trojan , cryptocurrency , cybersecurity , Financial Fraud , Malware , Microsoft Outlook , Phishing , Threat Intelligence , Whatsapp ⚡ Top Stories This Week 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Trellix Confirms Source Code Breach With Unauthorized Repository Access ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Day Zero Readiness: The Operational Gaps That Break Incident Response We Scanned 1 Million Exposed AI Services.
Here's How Bad the Security Actually Is ⭐ Featured Resources [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Discover How to Control Autonomous Identity Risks Effectively [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster Cybersecurity Webinars Building Stronger Defenses Stop Patient Zero Attacks Before They Bypass Detection Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Register Reduce AppSec Risk Validate Real Attack Paths Before Attackers Exploit Them Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. ⚡ Latest News Cybersecurity Resources Build Security Strategy That Earns Executive Buy-In — SANS LDR514, NYC SANS LDR514 in NYC, Aug 10–15: policy, risk frameworks, board communication, and strategic leadership.
Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos From Phishing to Recovery: Breaking the Ransomware Attack Chain May 04, 2026 Read ➝ Mythos is Coming: What the Next Six Months Require Your Biggest Security Risk Isn’t Malware — It's What You Already Trust CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide April 27, 2026 Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.