Inside TCLBANKER: How a Brazilian Trojan Hijacks WhatsApp and Outlook to Target 59 Financial Platforms

The emergence of the TCLBANKER banking Trojan marks a pivotal moment in the evolution of cyber threats targeting the financial sector. First flagged by Elastic Security Labs in May 2026, TCLBANKER leverages a blend of technical sophistication and social engineering, exploiting trusted communication platforms—specifically WhatsApp and Microsoft Outlook—to propagate rapidly and evade conventional defenses. Its campaign, which targets 59 banking, fintech, and cryptocurrency platforms, signals a new era of cross-channel malware that is both regionally focused and globally instructive for cybersecurity professionals.

Dissecting the TCLBANKER Attack Chain

TCLBANKER is not a standalone creation but a major update of the Maverick malware family, previously linked to the threat cluster known as Water Saci (as tracked by Trend Micro). The Trojan’s infection chain is notably complex, beginning with a malicious MSI installer concealed within a ZIP archive. This installer abuses a signed Logitech application—Logi AI Prompt Builder—via DLL side-loading, a technique that allows the malware to masquerade as legitimate software and bypass endpoint security. The malicious DLL, named screen_retriever_plugin.dll, acts as a loader equipped with a comprehensive watchdog subsystem, actively monitoring for analysis tools, sandboxes, debuggers, and antivirus software to avoid detection and analysis.

What sets TCLBANKER apart is its multi-stage anti-analysis and anti-virtualization checks. The malware generates three distinct system fingerprints—covering debugging status, disk information, and system language (with a preference for Brazilian Portuguese)—to create an environment hash. This hash is then used to decrypt the embedded payload. If the environment does not match the expected parameters, the payload remains encrypted, effectively thwarting researchers and automated defenses. This level of environmental awareness is a hallmark of advanced persistent threats and demonstrates a significant leap in operational security for financially motivated malware.

Propagation via WhatsApp and Outlook: A Strategic Shift

Unlike earlier banking Trojans that relied primarily on phishing emails or malicious websites, TCLBANKER leverages a worm component—an evolution of the SORVEPOTEL worm—to spread through both WhatsApp Web and Microsoft Outlook. By infiltrating these ubiquitous communication platforms, the malware exponentially increases its reach. Once a system is compromised, the worm can send malicious payloads to the victim's contacts, exploiting the inherent trust in personal and business communications. This dual-channel propagation not only accelerates infection rates but also complicates detection, as traditional email security gateways and endpoint protections are often not configured to inspect traffic within messaging applications or web-based email clients.

For financial institutions, this represents a paradigm shift. The attack surface now includes every endpoint where WhatsApp Web or Outlook is used, extending risk far beyond the perimeter of core banking systems. The blending of personal and professional communication channels in hybrid work environments further amplifies this risk, making it increasingly difficult to enforce consistent security policies across all user devices and contexts.

Target Profile: 59 Financial, Fintech, and Crypto Platforms

According to Elastic Security Labs, TCLBANKER specifically targets 59 banking, fintech, and cryptocurrency platforms, with a focus on Brazilian users. The malware’s system language check ensures it only activates on systems where Brazilian Portuguese is the default, reflecting a trend of regionally tailored cybercrime. This localization increases the likelihood of successful social engineering, as phishing lures and malicious payloads can be crafted in culturally and linguistically relevant ways.

Beyond traditional banks, the inclusion of fintech and crypto platforms in TCLBANKER’s target list signals a broader threat to the digital financial ecosystem. As more consumers and businesses adopt alternative financial services, attackers are adapting their tactics to follow the money. This diversification of targets underscores the need for cross-sector collaboration in threat intelligence and response.

Technical Innovations: Evasion, Persistence, and Data Exfiltration

TCLBANKER’s technical arsenal is notable for its depth and adaptability. The loader’s anti-analysis features extend to removing usermode hooks placed by endpoint security software within ntdll.dll and disabling Event Tracing for Windows (ETW) telemetry, further reducing the likelihood of detection. Persistence is established via scheduled tasks, ensuring the malware survives system reboots and maintains long-term access.

Once active, the banking Trojan component verifies the system’s regional settings before initiating communication with an external command-and-control (C2) server. This is accomplished through HTTP POST requests containing basic system information, enabling attackers to profile victims and tailor subsequent payloads. TCLBANKER also features a self-update mechanism, allowing operators to push new modules or adapt tactics in response to evolving defenses. A URL monitor leverages UI Automation to extract the current URL from the foreground browser’s address bar, enabling real-time targeting of users as they access online banking or crypto platforms.

Operational Risks and Barriers to Detection

The sophistication of TCLBANKER’s anti-analysis and anti-virtualization techniques presents significant operational risks for defenders. Security teams relying on traditional signature-based detection or sandbox analysis may find their tools rendered ineffective. The malware’s selective execution—triggered only when loaded by specific processes such as logiaipromptbuilder.exe or tclloader.exe—further complicates automated analysis and incident response workflows.

However, TCLBANKER’s reliance on social engineering and user interaction remains a critical limitation. The initial infection still depends on convincing users to open a malicious attachment or click a deceptive link, typically delivered via trusted contacts or business correspondence. This human factor introduces variability in infection rates and provides a potential avenue for mitigation through targeted user education and awareness campaigns.

Strategic Implications for Financial Institutions

The TCLBANKER campaign exposes systemic vulnerabilities in the way financial institutions approach endpoint and communication security. With attackers now exploiting channels like WhatsApp and Outlook, organizations must move beyond perimeter defenses and invest in advanced threat detection that encompasses messaging platforms and web-based email. This includes deploying behavioral analytics, anomaly detection, and sandboxing solutions capable of inspecting traffic and attachments within these channels.

Employee training must also evolve. Traditional phishing awareness programs are insufficient when threats arrive via trusted messaging apps or business email. Institutions should prioritize scenario-based training that reflects the blended nature of modern attacks, emphasizing the risks associated with opening unexpected files or clicking links—even from known contacts. Additionally, organizations should review and tighten policies around the use of personal messaging applications on corporate devices, especially in regulated industries.

Competitive Landscape and Ecosystem Response

The rapid evolution of TCLBANKER and its predecessors reflects a broader trend: cybercriminal groups are investing in modular, updateable malware platforms that can pivot quickly in response to defensive innovations. The use of legitimate software (such as Logitech’s Logi AI Prompt Builder) for DLL side-loading is part of a growing arsenal of living-off-the-land techniques, which exploit trusted binaries to evade detection. This trend places additional pressure on software vendors to audit their supply chains and harden their applications against abuse.

For cybersecurity vendors, TCLBANKER’s campaign is a call to action. Solutions must be capable of detecting lateral movement and worm-like behavior within messaging and collaboration platforms. Threat intelligence sharing—both within the financial sector and across industries—will be critical to identifying new variants and attack vectors before they achieve widespread impact. The Brazilian focus of TCLBANKER also highlights the importance of regional intelligence and the need for global organizations to tailor their defenses to local threat landscapes.

Second-Order Effects and Non-Obvious Implications

One non-obvious implication of TCLBANKER’s campaign is the potential for cross-pollination of techniques between financially motivated and state-sponsored actors. The malware’s anti-analysis features and selective targeting mechanisms are reminiscent of advanced persistent threats (APTs) typically associated with espionage rather than cybercrime. As these techniques become commoditized, defenders should anticipate their adoption in a wider range of attack scenarios, including those targeting critical infrastructure and supply chains.

Additionally, the campaign may accelerate the adoption of zero-trust principles within financial institutions. As the boundaries between personal and professional communication blur, organizations will need to verify the legitimacy of every user, device, and transaction—regardless of origin or channel. This shift could drive increased investment in identity and access management, endpoint detection and response (EDR), and secure access service edge (SASE) solutions.

Future Outlook: Adapting to a Dynamic Threat Landscape

The TCLBANKER Trojan is a harbinger of the next phase in cybercrime: agile, regionally tailored malware that exploits the convergence of personal and business communications. As attackers continue to innovate, defenders must adopt a proactive, intelligence-driven approach to security—one that anticipates new attack vectors and adapts in real time. Collaboration between financial institutions, cybersecurity vendors, and law enforcement will be essential to staying ahead of increasingly sophisticated threats.

In the near term, organizations should prioritize the integration of advanced threat detection across all communication channels, invest in continuous user education, and participate in industry-wide intelligence sharing initiatives. Over the longer term, the lessons of TCLBANKER will inform the development of more resilient, adaptive security architectures capable of withstanding the evolving tactics of both cybercriminal and nation-state actors.

Conclusion

TCLBANKER’s campaign is a stark reminder that the threat landscape is not static. By weaponizing trusted platforms like WhatsApp and Outlook, attackers are exploiting the very tools that underpin modern business and personal communication. For financial institutions and their partners, the imperative is clear: adapt, collaborate, and invest in the next generation of security solutions—or risk being left vulnerable to the next wave of cyber threats.