10.05.2026
5 min
154
Cybersecurity experts have discovered a new Brazilian banking Trojan, TCLBANKER, that masquerades as legitimate Logitech software and spreads via WhatsApp and Microsoft Outlook. The malware has already targeted at least 59 banking, fintech, and cryptocurrency platforms.
According to researchers at Elastic Security Labs, a new Brazilian banking Trojan (TCLBANKER) was created with the ability to hack into at least 59 banking, fintech, and cryptocurrency sites. The campaign was named “REF3076” and the malware is considered an improvement over previous versions of the Maverick malware group and Water Saci Cluster.
Experts claim the method of attack involves a highly developed boot loader with advanced anti-analysis features. Once launched, it creates a Trojan and a worm module, both of which use the messaging apps WhatsApp and Microsoft Outlook to deliver malware to thousands of people.
The chain of infection begins with a ZIP archive containing a malicious MSI installer. To hide this, attackers used a signed version of the Logitech Logi AI Prompt Builder software.
“The malicious MSI installer in the ZIP file uses DLL side-loading to load the infected library ‘screen_retriever_plugin.dll’ after launching,” said researchers Jia Yu Chang, Daniel Stepanich, Seth Goodwin and Terrence DeJesus. “This library operates like a loader with internal monitoring capabilities continuously checking for AV/ Sandboxing / Debugger / Disassembler etc.”
Only “logiaipromptbuilder.exe” or “tclloader.exe” may execute the malicious DLL. Additionally, TCLBANKER deletes “User Traps” in “ntdll.dll”, and deactivates ETW (Event Tracing for Windows) to limit detection.
Additionally, TCLBANKER creates a custom “fingerprint” of the computer based on Anti-Debug checks; Disk Information; Language Settings. If the machine doesn’t match what they expect, the payload isn’t decrypted. They check if Brazilian Portuguese is installed.
“For instance, if there’s a debugger present it will generate an incorrect hash value — then when the malware attempts to retrieve the decryption keys from the hash value, the payload won’t decrypt properly and TCLBANKER will cease execution,” said Elastic.
After passing all tests, the Trojan fixes itself onto the users Windows system through a Windows Scheduled Task, collects general information about the infected PC to send back to their server and begins a URL monitor within each of these web browsers: Google Chrome; Mozilla Firefox; Microsoft Edge; Brave; Opera; Vivaldi.
As soon as TCLBANKER detects that the user visited any of the websites from the targeted bank or financial service companies listed above, it opens a WebSocket connection with the command server and switches to remote control mode.
With remote control mode activated, TCLBANKER allows operators to:
Execute Shell Commands
Capture Screenshots
Start or Stop Screen Broadcasting
Manipulate Clipboard Contents
Activate Keylogging Capability
Remotely Control Mouse & Keyboard
Access File Systems & Processes
List Active Windows
Display Fake Banking Overlays to Steal Credentials
For Social Engineering purposes, TCLBANKER includes Full-Screen WPF Overlays. These overlays can display fake Windows Update pop-ups; fake loading indicators; and fake banking data input fields. Also, these overlays do not show themselves to screen-recording tools.
At the same time, a separate worm module distributes itself via WhatsApp and Outlook. The WhatsApp portion utilizes the Open Source WPPConnect project to automatically send messages to every contact that the victim has saved, but excludes groups; mailing lists; and non-Brazilian phone numbers.
The Outlook component acts as a Spam Bot. Using the Microsoft Outlook application on the victim’s device, it sends Phishing E-Mails directly from the victim’s actual e-mail account — thus avoiding Spam Filters and creating an illusion of credibility.
“TCLBANKER hijacks the Victim’s WhatsApp Session and Outlook Account and sends Spam E-Mail using a Trojan Installer to up-to 3000 contacts. Therefore, it sends the Malware from Victim’s Own Accounts using Their Own Contacts via Legitimate Infrastructure.”
Elastic believes REF3076 is still in its initial testing phase. Researches found test process names; Debug Paths; and incomplete Phishing Sites embedded in its code — suggesting future developments of the Campaign.
Finally, according to Elastic, TCLBANKER illustrates how quickly the Brazilian Banking Trojan Ecosystem is expanding. Criminals are beginning to implement techniques once utilized by Sophisticated APT Groups.
“The Campaign inherits Trust/Delivery of Legitimate Messages/Hijack Victims’ WhatsApp Sessions/Outlook Accounts — making it difficult for Traditional Email Gateways and Reputation-Based Defenses to Detect,” concluded Elastic.
