TCLBANKER trojan hijacks WhatsApp, Outlook to spread in Brazil

Elastic Security Labs identified a banking trojan it calls TCLBANKER in a campaign tracked as REF3076. The attack starts with a trojanized installer for Logi AI Prompt Builder, a legitimately signed Logitech application. The installer is distributed in a ZIP archive and uses DLL sideloading to run a malicious file that pretends to be a Flutter plugin. The loader drops two .NET Reactor–protected payloads: a banking module and a worm module that propagates the malware.

The loader builds a decryption key from anti-debugging checks, disk and memory characteristics, and system language settings. If the environment looks like a sandbox or has debugging tools attached, the decryption produces invalid data and the malware stops without errors. The loader also patches Windows telemetry functions and creates direct syscall trampolines to evade user-mode hooks. A watchdog process scans for analysis tools such as x64dbg, Ghidra, dnSpy, IDA Pro, Process Hacker and Frida and halts operation if they are present.

The banking module activates only on machines in Brazil. It performs geofencing checks that examine region code, time zone, system locale and keyboard layout. The module reads the active browser URL bar via Windows UI Automation every second across Chrome, Firefox, Edge, Brave, Opera and Vivaldi. When a visited URL matches one of 59 encrypted targets that include Brazilian banks, fintechs and crypto services, the malware opens a WebSocket to a remote server and grants remote control of the machine. Attackers then display a borderless, topmost overlay that is not captured in screenshots. Elastic Security Labs observed three overlay templates: a credential-harvesting form with a fake Brazilian phone number, a fake Windows Update progress screen, and a vishing wait screen used while fraud is carried out.

The worm spreads via two automated methods that abuse the victim’s own accounts. The WhatsApp component searches for active WhatsApp Web sessions in Chromium-based browser profiles, clones the profile, launches a headless Chromium instance, injects JavaScript to evade bot detection, harvests contacts and sends phishing messages containing the TCLBANKER installer. The Outlook component uses Component Object Model automation to read addresses from the Contacts folder and inbox history and to send emails from the victim’s account. Those messages use the subject ‘NFe disponível para impressão’ and point to a phishing domain that impersonates a Brazilian ERP platform.

Elastic Security Labs linked TCLBANKER to the MAVERICK/SORVEPOTEL malware family based on shared infrastructure and code patterns. Elastic Security Labs recommends that users scrutinize unexpected invoice emails and messages, keep software and security tools up to date, and enable multi-factor authentication to reduce the risk of account takeover.