A highly sophisticated Brazilian banking trojan named TCLBANKER, tracked under the campaign REF3076<\/a>, this malware represents a major update to the older Maverick and SORVEPOTEL families. <\/p>\n It stands out because it uses a fake, signed Logitech installer to infect systems and spreads automatically via WhatsApp and Microsoft Outlook.<\/p>\n The attack begins when a user downloads a malicious ZIP file. Inside this archive is an installer that abuses a real, digitally signed Logitech program called Logi AI Prompt Builder.<\/p>\n By using a technique known as DLL side-loading, the hackers trick the legitimate Logitech application into loading a malicious file instead of its normal system components. Once activated, this hidden loader takes control of the system to prepare the next stages of the attack.<\/p>\n TCLBANKER is carefully built to hide from security researchers. Before it fully unpacks, it checks whether the computer is running in a security sandbox. It looks for debugging tools<\/a>, virtual machines, and specific antivirus software. <\/p>\n It also checks the system language and time zone to ensure the victim is actually located in Brazil. If the environment does not match a real Brazilian user, the payload refuses to decrypt, keeping the malware completely hidden from automated security scanners.<\/p>\n Once the malware confirms it is on a real victim\u2019s machine, it launches the main banking trojan. <\/p>\n This tool continuously monitors the user\u2019s web browser to detect whether the user visits one of 59 targeted banks, financial technology platforms, or cryptocurrency websites. When a match is found, the malware connects to a remote server.<\/p>\n To steal passwords, the trojan uses full-screen overlays built with Microsoft\u2019s Windows Presentation Foundation. These overlays cover the entire screen and look exactly like real banking prompts or official Windows Update screens. <\/p>\n They freeze the desktop, block keyboard shortcuts such as the Windows key or Escape, and turn off screen-capture tools so the victim cannot record the fraud. The user is forced to enter their security codes or personal identification numbers directly into the hacker\u2019s fake screen.<\/p>\n What makes TCLBANKER incredibly dangerous is its ability to spread automatically. The first worm module targets WhatsApp Web<\/a>. The malware scans the computer for web browsers such as Chrome or Edge and looks for active WhatsApp accounts. <\/p>\n Instead of asking the user to scan a new QR code, the malware secretly clones the saved session data. It then opens a hidden browser window, bypasses bot detection, and sends phishing messages and the malware file directly to the victim\u2019s contacts. Because the messages come from a trusted friend, new victims are highly likely to download the file.<\/p>\n Elastic Security Labs has uncovered <\/a>that the second worm module focuses on email. It silently opens Microsoft Outlook in the background and uses Windows COM automation to take complete control of the victim\u2019s email account. <\/p>\n The bot searches the address book and inbox to harvest contacts. It then drafts completely new phishing emails and sends them from the infected user\u2019s actual email address. This technique easily bypasses standard email security filters because the emails originate from a legitimate, trusted source.<\/p>\n All of this malicious activity is managed using serverless cloud tools such as Cloudflare Workers. By using legitimate cloud services, the attackers can quickly change their servers and avoid being blocked by simple network defenses. <\/p>\n The hackers also host their malicious files on Cloudflare, making the download links look safe to the average user. Researchers note that this campaign is still in its early stages, suggesting that the threat actors are likely preparing to expand their targets.<\/p>\n To protect against TCLBANKER, organizations should look for unusual background processes spawned by Logitech applications. <\/p>\n Security teams must monitor for unauthorized browser profile cloning and watch for unusual spikes in outbound emails from Microsoft Outlook. Using advanced endpoint protection that detects unauthorized full-screen overlays is also essential to keeping systems safe from this evolving threat.<\/p>\n IoC<\/strong><\/p>\n Note:<\/strong> IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.<\/em><\/p>\n Cybercriminals now enter through your suppliers instead of your front door \u2013 Free Webinar<\/a><\/strong><\/p>\n The post TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"File](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-24.png?resize=843%2C389&ssl=1\")
![\"Targeted](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-23.png?resize=778%2C460&ssl=1\")
![\"\nEncrypted](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-22-1024x303.png?resize=1024%2C303&ssl=1\")
TCLBANKER Malware Targets Users<\/strong><\/h2>\n
![\"Zip](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-21.png?resize=950%2C199&ssl=1\")
![\"WhatsApp](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-20.png?resize=845%2C912&ssl=1\")
![\"Code](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-19-1024x616.png?resize=1024%2C616&ssl=1\")
\n\n
\n \nObservable<\/th>\n Type<\/th>\n Name<\/th>\n Reference<\/th>\n<\/tr>\n<\/thead>\n \n 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626<\/td>\n SHA-256<\/td>\n screen_retriever_plugin.dll<\/td>\n TCLBanker loader component<\/td>\n<\/tr>\n \n 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059<\/td>\n SHA-256<\/td>\n screen_retriever_plugin.dll<\/td>\n TCLBanker loader component<\/td>\n<\/tr>\n \n 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40<\/td>\n SHA-256<\/td>\n screen_retriever_plugin.dll<\/td>\n TCLBanker loader component<\/td>\n<\/tr>\n \n 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394<\/td>\n SHA-256<\/td>\n XXL_21042026-181516.zip<\/td>\n TCLBanker initial ZIP file<\/td>\n<\/tr>\n \n campanha1-api.ef971a42[.]workers.dev<\/td>\n domain-name<\/td>\n <\/td>\n TCLBanker C2<\/td>\n<\/tr>\n \n mxtestacionamentos[.]com<\/td>\n domain-name<\/td>\n <\/td>\n TCLBanker C2<\/td>\n<\/tr>\n \n documents.ef971a42.workers[.]dev<\/td>\n domain-name<\/td>\n <\/td>\n TCLBanker file server<\/td>\n<\/tr>\n \n arquivos-omie[.]com<\/td>\n domain-name<\/td>\n <\/td>\n TCLBanker phishing page (under development)<\/td>\n<\/tr>\n \n documentos-online[.]com<\/td>\n domain-name<\/td>\n <\/td>\n TCLBanker phishing page (under development)<\/td>\n<\/tr>\n \n afonsoferragista[.]com<\/td>\n domain-name<\/td>\n <\/td>\n TCLBanker phishing page (under development)<\/td>\n<\/tr>\n \n doccompartilhe[.]com<\/td>\n domain-name<\/td>\n <\/td>\n TCLBanker phishing page (under development)<\/td>\n<\/tr>\n \n recebamais[.]com<\/td>\n domain-name<\/td>\n <\/td>\n TCLBanker phishing page (under development)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n