New TCLBanker Trojan Hijacks WhatsApp and Outlook to Spread Malware

A new banking trojan named TCLBanker is targeting 59 banking, fintech, and cryptocurrency platforms, with Brazil as its main focus.

Elastic Security Labs discovered the malware, which spreads through a trojanized installer for Logitech AI Prompt Builder. The attack uses DLL side-loading to run inside a legitimate Logitech process, making detection harder for antivirus tools.

TCLBanker focuses on Brazil, but could expand

TCLBanker checks the victim’s timezone, keyboard layout, and system locale before activating. These checks suggest a strong focus on Brazilian users, although researchers warn the campaign could move beyond Latin America.

The malware appears to be an evolved version of Maverick and Sorvepotel, two earlier LATAM banking malware families.

The malware watches banking and crypto sites in real time

Once active, TCLBanker monitors the browser address bar every second using Windows UI Automation APIs. When it detects a targeted banking, fintech, or crypto website, it opens a WebSocket connection to attacker’s infrastructure.

From there, attackers can stream the screen, capture screenshots, log keystrokes, hijack the clipboard, run shell commands, browse files, list processes, and remotely control the mouse and keyboard.

Fake overlays hide the attack from victims

TCLBanker uses WPF overlays to imitate banking login prompts, PIN screens, fake support forms, Windows Update screens, and loading dialogs.

It can also use “cutout” overlays, which show only selected parts of legitimate apps while hiding suspicious activity. During active sessions, the malware can kill Task Manager to stop victims from seeing what is happening.

TCLBanker also spreads through WhatsApp and Outlook

The malware includes a WhatsApp worm module that hijacks authenticated WhatsApp Web sessions. It extracts IndexedDB data from Chromium profiles and sends spam messages from victim accounts, filtering for Brazilian phone numbers.

It also abuses Microsoft Outlook through COM automation. This lets it harvest contacts and sender addresses, then send phishing emails from the victim’s mailbox.

A major step forward for LATAM banking malware

Researchers describe TCLBanker as highly feature-rich, with anti-analysis protections that include sandbox-aware payload decryption and a watchdog thread searching for tools such as x64dbg, IDA, dnSpy, Frida, Ghidra, and ProcessHacker.

Some code artifacts also suggest AI-assisted development, pointing to a more advanced and faster-moving malware operation. In other security news, threat actors have been abusing Microsoft Teams for espionage campaigns, fake Claude AI software has been used to spread malware, and CloudZ RAT is abusing Phone Link to steal OTPs.

Via Bleeping Computer