Cybersecurity

Inside TCLBANKER: The Brazilian Trojan Exploiting WhatsApp and Outlook to Target 59 Financial Platforms

By VtechXHub Desk VTechX Editorial Review
💡 Why It Matters

The Trojan's ability to exploit trusted platforms highlights the need for enhanced cybersecurity measures in financial sectors.

Inside TCLBANKER: The Brazilian Trojan Exploiting WhatsApp and Outlook to Target 59 Financial Platforms

The emergence of the TCLBANKER banking Trojan signals a new escalation in the sophistication and reach of financial cyber threats. Uncovered by Elastic Security Labs and tracked as REF3076, TCLBANKER is a major evolution of the Maverick malware family, with a particular focus on Brazilian users and institutions. Its propagation through trusted communication channels like WhatsApp and Microsoft Outlook, combined with advanced anti-analysis techniques, marks a significant shift in the operational strategies of cybercriminals targeting the financial sector. As the malware targets a broad spectrum of 59 banking, fintech, and cryptocurrency platforms, the implications for both institutions and end-users are profound and far-reaching.

Dissecting TCLBANKER: Technical Anatomy and Infection Chain

TCLBANKER distinguishes itself from traditional banking Trojans through its multi-layered infection chain and robust evasion mechanisms. According to Elastic Security Labs, the attack begins with a malicious MSI installer bundled inside a ZIP file, which is distributed via phishing campaigns. Notably, these MSI packages abuse a signed Logitech program, Logi AI Prompt Builder, to facilitate DLL side-loading—a technique that leverages legitimate software to execute malicious code undetected. The loader, named screen_retriever_plugin.dll, incorporates a comprehensive watchdog subsystem that actively scans for analysis tools, sandboxes, debuggers, and antivirus software, terminating execution if such tools are detected.

The loader only activates if launched by either logiaipromptbuilder.exe or tclloader.exe, further complicating detection efforts. To evade endpoint security, TCLBANKER removes usermode hooks from ntdll.dll and disables Windows Event Tracing (ETW) telemetry, blinding many security monitoring solutions. The malware also performs a series of environmental checks, including anti-debugging, anti-virtualization, system disk information, and language verification, generating a unique hash used to decrypt its embedded payload. Crucially, TCLBANKER only proceeds if the system language is set to Brazilian Portuguese, underscoring its geographic targeting strategy.

Propagation via WhatsApp and Outlook: Exploiting Trust at Scale

What sets TCLBANKER apart is its worm-like propagation strategy, leveraging both WhatsApp Web and Microsoft Outlook to spread laterally across networks and social graphs. The malware’s worm component, inherited from the SORVEPOTEL worm used in previous Maverick campaigns attributed to the Water Saci threat cluster (as identified by Trend Micro), accesses a victim’s WhatsApp contacts and Outlook address book to send malicious payloads disguised as legitimate files or links. This approach exploits the inherent trust users place in messages from known contacts and official-looking emails, dramatically increasing infection rates.

For example, a compromised user may unwittingly forward an infected ZIP file to colleagues or friends, who, trusting the source, are more likely to open the attachment. In business environments, Outlook-based propagation can rapidly compromise entire departments or organizations, especially where cybersecurity awareness is inconsistent. The use of social engineering—such as urgent requests or references to ongoing projects—further enhances the likelihood of successful infection.

Targeting the Financial Ecosystem: 59 Platforms at Risk

TCLBANKER’s primary targets are financial institutions and platforms operating in Brazil, with its codebase specifically checking for Brazilian system language before executing its payload. According to Elastic Security Labs, the malware is capable of targeting 59 distinct banking, fintech, and cryptocurrency platforms. This broad targeting reflects a strategic intent to maximize financial gain while minimizing the risk of detection outside its preferred geography.

Once active, the banking Trojan component establishes persistence via scheduled tasks and immediately beacons out to an external command-and-control server with system information. It features a self-update mechanism, allowing operators to push new capabilities or evade emerging detection signatures. TCLBANKER also includes a URL monitor that extracts the current URL from the foreground browser’s address bar using UI Automation, enabling real-time targeting of users as they interact with online banking portals. This capability allows the malware to intercept credentials, manipulate transactions, and potentially inject fraudulent instructions during active banking sessions.

Operational Risks and Systemic Implications

The operational risks posed by TCLBANKER extend beyond individual account compromise. The malware’s ability to manipulate transactions in real time, coupled with its persistence and self-updating features, creates a persistent threat to the integrity of financial operations. For financial institutions, a successful breach can result in unauthorized fund transfers, regulatory penalties, and significant reputational damage. The interconnectedness of modern financial systems means that a single compromised endpoint can serve as a launchpad for broader attacks, including lateral movement within corporate networks and supply chain compromise.

For end-users, the consequences are equally severe. Stolen credentials can facilitate identity theft, unauthorized account access, and direct financial loss. The malware’s focus on Brazilian users highlights the ongoing challenge of regionally targeted cybercrime, where local language, banking practices, and regulatory environments are exploited for maximum effect.

Defensive Limitations and the Arms Race in Cybersecurity

While user vigilance remains a critical line of defense, TCLBANKER’s sophisticated social engineering and anti-analysis techniques reduce the effectiveness of traditional awareness campaigns. The malware’s reliance on user interaction—such as opening attachments or clicking links—means that even well-informed users can be deceived by convincing lures. Furthermore, its technical sophistication allows it to evade many endpoint security solutions, particularly those reliant on signature-based detection or standard behavioral analytics.

On the positive side, the malware’s geographic targeting and reliance on specific propagation channels (WhatsApp and Outlook) provide defenders with actionable intelligence for threat hunting and network monitoring. Security teams can prioritize monitoring for suspicious ZIP and MSI files, especially those referencing the Logitech Logi AI Prompt Builder, and implement geo-fencing or language-based controls to limit exposure.

Competitive Landscape: Evolution of Banking Trojans in Latin America

TCLBANKER’s emergence is part of a broader trend in Latin America, where banking Trojans have evolved rapidly in both technical sophistication and operational scale. The Maverick family, from which TCLBANKER descends, has been linked to the Water Saci threat cluster, a group known for leveraging worm components and exploiting popular communication platforms. This reflects a shift from opportunistic, mass-phishing campaigns to highly targeted, region-specific operations that blend technical innovation with deep local knowledge.

Competing malware families in the region, such as Grandoreiro and Mekotio, have similarly focused on Brazilian financial institutions, but TCLBANKER’s use of signed software for DLL side-loading and its advanced anti-analysis routines set a new standard for stealth and persistence. This escalation signals an ongoing arms race between threat actors and defenders, with each side rapidly adapting to the other’s innovations.

Strategic Outlook: Preparing for the Next Wave of Financial Malware

Looking ahead, the TCLBANKER campaign offers several non-obvious implications for the cybersecurity landscape. First, the abuse of legitimate, signed software for malware delivery highlights a growing trend in supply chain and living-off-the-land attacks. Security teams must expand their focus beyond traditional malware signatures to include behavioral analysis of trusted applications and anomalous use of legitimate binaries.

Second, the use of language and regional checks to limit the malware’s execution footprint demonstrates a strategic effort by threat actors to reduce international scrutiny and law enforcement attention, while maximizing impact within a lucrative target market. This suggests that future banking Trojans may become even more segmented and customized for specific geographies, industries, or even individual institutions.

Third, the integration of worm-like propagation via business and social messaging platforms is likely to accelerate, as attackers seek to exploit the blurred boundaries between personal and professional communications. Enterprises must therefore treat messaging platforms as critical attack surfaces, subject to the same rigorous security controls as email and web gateways.

Recommendations for Financial Institutions and Users

For financial institutions, a multi-layered defense strategy is essential. This includes deploying advanced threat detection systems capable of identifying DLL side-loading and suspicious process behaviors, conducting regular security audits, and ensuring rapid patching of both operating systems and third-party applications. Employee training should specifically address the risks of social engineering via WhatsApp and Outlook, with simulated phishing exercises tailored to current attack trends.

End-users should enable two-factor authentication on all financial accounts, remain vigilant for unsolicited messages—even from known contacts—and avoid opening unexpected attachments or clicking on suspicious links. Regular software updates and the use of reputable endpoint protection solutions can further reduce risk, though no single measure is sufficient against highly adaptive threats like TCLBANKER.

Collaboration between financial institutions, cybersecurity vendors, and law enforcement agencies is also critical. Sharing threat intelligence on emerging malware campaigns and attack techniques can help the broader ecosystem respond more quickly and effectively to evolving threats.

Conclusion: A New Era of Financial Cyber Threats

The TCLBANKER Trojan exemplifies the next generation of banking malware—stealthy, adaptive, and deeply integrated into the communication platforms that underpin modern financial operations. Its targeted approach, technical sophistication, and rapid propagation capabilities demand a commensurate response from both institutions and individuals. As the financial sector braces for increasingly complex threats, the lessons from TCLBANKER’s campaign are clear: proactive defense, continuous education, and cross-industry collaboration are no longer optional—they are essential for survival in the digital age.

Related reading: New Malware Targets Financial Institutions