A highly sophisticated Brazilian banking trojan named TCLBANKER, tracked under the campaign identifier REF3076, has been uncovered by Elastic Security Labs. This malware represents a major evolution of the older Maverick and SORVEPOTEL banking trojan families — and its self-propagating capabilities via WhatsApp and Microsoft Outlook make it especially dangerous.
TCLBANKER is engineered with a multi-stage attack chain, advanced sandbox evasion, and dual worm modules designed to spread through trusted communication channels, dramatically increasing its potential reach.
Initial Access: Weaponized Logitech Installer
The attack begins when a user downloads a malicious ZIP file. Inside the archive is an installer that abuses a real, digitally signed Logitech program called Logi AI Prompt Builder. By exploiting a technique known as DLL side-loading, the attackers trick the legitimate Logitech application into loading a malicious DLL file instead of its normal system component.
Once activated, this hidden loader takes control of the system to prepare subsequent stages of the attack. Because it abuses a signed, trusted binary, many security tools are initially fooled into allowing execution.
Sophisticated Sandbox Evasion
Before fully unpacking, TCLBANKER performs a series of environmental checks to determine whether it is running inside a security analysis sandbox:
- Scans for debugging tools and virtual machine artifacts
- Checks for specific antivirus software signatures
- Validates system language and time zone to confirm the victim is physically located in Brazil
If the environment does not match a real Brazilian user profile, the payload refuses to decrypt — keeping the malware completely invisible to automated security scanners and making analysis extremely difficult for researchers outside the target region.
Credential Theft via Full-Screen Overlays
Once confirmed on a real victim’s machine, TCLBANKER launches its core banking trojan component, which continuously monitors the user’s web browser for visits to any of 59 targeted banks, fintech platforms, and cryptocurrency exchanges.
When a target site is detected, the malware constructs a full-screen overlay built with Microsoft’s Windows Presentation Foundation (WPF) framework. These overlays:
- Perfectly mimic legitimate banking prompts or official Windows Update screens
- Freeze the desktop and block keyboard shortcuts (Windows key, Escape, etc.)
- Disable screen capture tools to prevent the victim from recording the fraud
- Force the victim to enter security codes or PINs directly into the attacker’s fake interface
All communications are routed through serverless Cloudflare Workers, allowing attackers to rapidly change infrastructure and evade network-based blocking.
WhatsApp Worm: Silent Session Hijacking
What sets TCLBANKER apart is its self-propagating worm capability. The first worm module targets WhatsApp Web. Rather than requiring the user to scan a new QR code — which would alert the victim — the malware secretly clones saved WhatsApp session data from the browser profile.
It then opens a hidden browser window, bypasses bot detection mechanisms, and sends phishing messages along with copies of the malware directly to the victim’s contact list. Because messages arrive from a trusted contact, new victims are highly likely to download and execute the malicious file.
Outlook Worm: Hijacking the Corporate Email Chain
The second worm module targets Microsoft Outlook. Using Windows COM automation, TCLBANKER silently opens Outlook in the background and takes complete control of the victim’s email account. It then:
- Harvests contacts from the address book and inbox
- Drafts new phishing emails impersonating the infected user
- Sends them from the victim’s actual email address, bypassing standard email security filters
Because the emails originate from a legitimate, trusted source, corporate email gateways and spam filters are unlikely to flag them — making this worm module particularly effective in enterprise environments.
Indicators of Compromise
Key IOCs identified by Elastic Security Labs include the following SHA-256 hashes for the TCLBANKER loader component (screen_retriever_plugin.dll) and command and control domains. Security teams should add these to their threat intelligence platforms and SIEM detections:
- C2 domain: campanha1-api.ef971a42[.]workers.dev
- File server: documents.ef971a42.workers[.]dev
- Phishing pages (in development): documentos-online[.]com, recebamais[.]com
Defensive Recommendations
To protect against TCLBANKER, security teams should:
- Monitor for unusual background processes spawned by Logitech or other trusted software vendors
- Watch for unauthorized browser profile cloning or unexplained new browser sessions
- Alert on unusual spikes in outbound emails from Microsoft Outlook, particularly to large contact lists
- Deploy advanced endpoint protection capable of detecting unauthorized full-screen overlays
- Block Cloudflare Workers domains not explicitly whitelisted in corporate environments
Elastic Security Labs notes that this campaign appears to still be in its early stages, suggesting the threat actors may be planning to expand their target list beyond Brazilian financial institutions in the near future.