Elastic Security Labs has identified TCLBANKER as REF3076, which represents a significant development in Latin American banking malware. In addition to credential theft, remote session control, and worm-like propagation, it has been linked to older Maverick and SORVEPOTEL malware families, but with more sophisticated stealth and self-distribution features.
By delivering the trojan via trojanized Logitech AI Prompt Builder MSI installer hidden within malicious ZIP archives, the trojan spreads through compromised WhatsApp and Microsoft Outlook accounts. As well as employing extensive anti-analysis protections to evade sandboxes, debugging tools, and security monitoring systems, TCLBANKER targets 59 Brazilian banking, fintech, and cryptocurrency platforms.
Research has shown that although the campaign is currently focused on Brazil through locale verification and keyboard layout verification checks, its modular architecture is capable of enabling broader international expansion in the future. Researchers have found that the malicious library “screen_retriever_plugin.dll” is executed through the legitimate Logitech application via DLL sideloading.
The malware only activates when loaded by approved executables such as “logiaipromptbuilder.exe,” allowing it to blend into trusted processes and avoid detection. Watchdog subsystems are included in its loader, which continuously searches for debuggers, sandboxes, antivirus engines, and forensic analysis tools. Also, it removes usermode hooks from “ntdll.dll” and disables Event Tracing for Windows (ETW) telemetry so that endpoint monitoring visibility can be compromised.
The TCLBANKER software generates an environment-specific hash value by performing multiple anti-debugging, anti-virtualization, disk, and language checks before decrypting its payload. In the event analysis conditions are detected, the payload is intentionally disabled from decrypting, preventing execution in sandboxes.
Following validation, the malware establishes persistence through scheduled tasks and communicates with external command-and-control infrastructure using HTTP POST requests containing information regarding the system.
An increasing trend among financially motivated threat actors is to combine enterprise-grade evasion techniques with consumer-centered banking fraud operations, as evidenced by the malware's layered execution model. During their research, researchers found that TCLBANKER did not rely exclusively on credential theft, but rather operated as an interactive remote intrusion platform, maintaining prolonged access to compromised systems.
In addition to monitoring user behavior in real time, attackers can manipulate banking sessions directly and bypass traditional fraud detection mechanisms that detect automated transactions, allowing them to bypass traditional fraud detection mechanisms.
Since the malware executes most of its activity in memory, and limits visible artifacts on disk, it can be detected more easily by conventional anti-virus and endpoint monitoring programs.
As a consequence of these characteristics, analysts caution that traditional banking trojans and lightweight advanced persistent threat tooling are becoming increasingly blurred, particularly as financial criminals target online banking ecosystems with targeted cybercrime campaigns.
With TCLBANKER, users can perform a number of remote fraud functions, including screen capture, live session monitoring, clipboard interception, keylogging, and direct shell command execution.
During fraudulent activities, the malware blocks shortcuts such as Alt+F4, Escape, PrintScreen, and the Windows key while terminating Task Manager processes repeatedly to prevent user interference.
Moreover, the WDA_EXCLUDEFROMCAPTURE flag was used by worms to hide malicious overlays from screen-recording tools.
TCLBANKER is also known to include two worm modules, Tcl.WppBot and Tcl.WppBot, which spread via WhatsApp Web and Microsoft Outlook.
Through phishing links sent through authenticated WhatsApp sessions to victim contacts, as well as through Outlook COM automation, the malware distributes malicious emails from legitimate user accounts using trusted communication channels, thus significantly increasing infection success rates.
As part of its monitoring of activity across Chrome, Firefox, Edge, Brave, Opera, and Vivaldi, TCLBANKER targets 59 Brazilian fintech, banking, and cryptocurrency services specifically.
During operation, the malware maintains persistence through a hidden scheduled task called "RuntimeOptimizeService," while monitoring virtualization platforms, debugging tools, and sandbox environments to preserve operational stealth.
Additionally, researchers stressed the operational advantages created by TCLBANKER's abuse of trusted communication environments.
As opposed to traditional phishing campaigns that rely on a large-scale spam infrastructure, this malware uses compromised user accounts to distribute malicious content through existing personal and corporate relationships, leveraging compromised user accounts.
Social engineering success rates are substantially improved as recipients are more likely to trust links or attachments received from trusted sources.
Using WhatsApp Web and Microsoft Outlook also allows the campaign to spread without being dependent on attacker-controlled infrastructure that could otherwise be blocked or blacklisted.
According to analysts, this propagation strategy represents an evolution in malware delivery operations, as threat actors are increasingly weaponizing legitimate platforms and authenticated sessions in order to bypass spam filtering technologies, reputation-based detection systems, and user suspicion, and to bypass email filtering technologies.
Additionally, cybersecurity researchers are concerned about the continued abuse of legitimately signed applications within malware delivery chains as a consequence of the campaign.
TCLBANKER takes advantage of user trust in recognized brands by embedding malicious components inside authentic Logitech software, thereby decreasing the likelihood of immediate detection during installation.
DLL sideloading techniques of this kind continue to be particularly effective because they exploit legitimate application behavior instead of exploiting exploits.
Due to the combination of signed software abuse, environment-aware payload activation, and memory-resident execution, the malware is much less forensically accessible than traditional commodity banking trojans.
The analysts believe that the use of these methods will likely continue in future financial malware operations as cybercriminal groups adapt increasingly stealth-oriented intrusion techniques to improve persistence and reduce defence visibility over an infected environment as a result of increasing stealth-oriented intrusion techniques.
The TCLBANKER platform has been designed to highlight the increased sophistication of today's banking malware.
TCLBANKER combines trusted software abuse, advanced defense evasion, and self-propagating distribution methods to create a highly adaptive financial threat platform.
Despite the malware's ability to spread through legitimate WhatsApp and Outlook accounts, it reflects the shift toward trust-based infection chains that improve victim engagement and compromise rates.
While the malware's current operations are mainly targeted at Brazilian financial users, researchers caution that its modular architecture and stealth-focused architecture could allow for broader international targeting in the future.
According to the findings, hardware and software endpoint monitoring should be strengthened, software validation controls implemented, and user awareness should be increased as financially motivated cyber threats continue to evolve in terms of complexity and extent.
