"TCLBANKER reflects a broader maturation happening across the Brazilian banking trojan ecosystem," Elastic concluded.
REF3076, Maverick lineage, and scope
Threat hunters at Elastic Security Labs are tracking the activity under REF3076 and say it represents a previously undocumented Brazilian banking trojan family dubbed TCLBANKER. The researchers report the malware can target 59 banking, fintech, and cryptocurrency platforms. Elastic assesses TCLBANKER is a major update of the Maverick family, which is known to have leveraged a WhatsApp Web worm called SORVEPOTEL; Trend Micro has attributed the Maverick campaign to a threat cluster it calls Water Saci.
MSI installer, Logitech side‑loading, and the loader DLL
Elastic's analysts Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus describe the observed infection chain as bundling a malicious MSI installer inside a ZIP file. "These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder," the researchers wrote. The campaign abuses that signed application to DLL side‑load a malicious library named "screen_retriever_plugin.dll," which serves as a loader and includes a "comprehensive watchdog subsystem" that looks for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software.
The malicious DLL will only execute if it was loaded by either "logiaipromptbuilder.exe" (the Logitech program) or "tclloader.exe" (likely a reference used during testing), and the loader actively removes user‑mode hooks placed by endpoint security within "ntdll.dll" and disables Event Tracing for Windows (ETW) telemetry.
Anti‑analysis gating and environment‑based decryption
TCLBANKER builds three fingerprints — based on anti‑debugging and anti‑virtualization checks, system disk information checks, and language checks — and combines them into an environment hash used to decrypt the embedded payload. The system language check enforces that the user's default language is Brazilian Portuguese. Elastic explained that if a debugger is present the malware will produce an incorrect hash, causing decryption to fail and halting execution.
Banking trojan functions, overlays, and remote control
Once the payload decrypts and confirms a Brazilian environment, the main trojan establishes persistence via a scheduled task and beacons out with an HTTP POST containing basic system information. TCLBANKER includes a self‑update mechanism and a URL monitor that uses UI Automation to extract the current URL from the foreground browser's address bar; it specifically targets Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.
If the extracted URL matches a hard‑coded list of targeted financial institutions, the malware opens a WebSocket connection to a remote server and enters a command dispatch loop that gives operators broad capabilities, including:
- Run shell commands
- Capture screenshots
- Start/stop screen streaming
- Manipulate clipboard
- Launch a keylogger
- Remotely control mouse/keyboard
- Manage files and processes
- Enumerate running processes
- List visible windows
- Serve fake credential‑stealing overlays
For data theft, TCLBANKER leverages a Windows Presentation Foundation (WPF) full‑screen overlay framework to present social‑engineering screens — credential prompts, vishing wait screens, bogus progress bars, and fake Windows Updates — while hiding overlays from screen capture tools.
WhatsApp Web worm and Outlook spambot for large‑scale distribution
The loader also invokes a worming module that propagates the trojan through spam and phishing at scale. The propagation uses two parallel mechanisms: a WhatsApp Web worm that hijacks authenticated browser sessions and an Outlook email bot that abuses the victim's installed Microsoft Outlook to send phishing messages.
The WhatsApp worm retrieves a messaging template from the server and leverages the open‑source project WPPConnect to automate message sending, filtering out groups, broadcasts, and non‑Brazilian numbers. The Outlook agent abuses the victim's Outlook installation to send phishing emails from the victim's own address, a technique Elastic notes can bypass spam filters and lend the messages an appearance of trust.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams — The campaign packages environment‑gated payload decryption, DLL side‑loading via a signed Logitech MSI, active removal of user‑mode hooks, ETW disablement, and WebSocket‑driven social engineering, all behaviors Elastic highlights as evidence of maturation in Brazilian banking trojans.
- Affected enterprises and procurement leaders — Elastic warns the distribution model inherits the trust and deliverability of legitimate communications by hijacking victims' WhatsApp sessions and Outlook accounts, a gap traditional email gateways and reputation‑based defenses are ill‑equipped to catch.
- End users — The malware's language gating toward Brazilian Portuguese, its use of WhatsApp Web automation, and phishing sent from users' own Outlook installations are specific signals tied to TCLBANKER's spread and social‑engineering playbook.
Elastic's finding frames TCLBANKER not merely as a single campaign but as an example of techniques once reserved for more sophisticated actors being repackaged into commodity crimeware — a shift the researchers say is already changing how banking malware reaches victims. The published details leave clear technical fingerprints: a signed Logitech installer abused for DLL side‑loading, a loader that gates execution on environment checks, and dual propagation through hijacked WhatsApp sessions and Outlook‑sent phishing.
Original reporting: https://thehackernews.com/2026/05/tclbanker-banking-trojan-targets.html
