TCLBANKER Banking Trojan

Cybersecurity researchers have uncovered a previously undocumented Brazilian banking trojan known as TCLBANKER, a highly advanced malware strain designed to target 59 banking, fintech, and cryptocurrency platforms. The campaign is currently tracked under the name REF3076 and is believed to represent a significant evolution of the notorious Maverick malware family, previously associated with the Water Saci threat cluster.

TCLBANKER expands upon earlier attack methods by integrating advanced anti-analysis mechanisms, stealth-focused payload delivery, and large-scale propagation capabilities through compromised communication platforms.

A Stealthy Infection Chain Built for Evasion

The attack begins with a malicious ZIP archive containing an MSI installer that abuses a legitimately signed Logitech application called Logi AI Prompt Builder. Through DLL side-loading, the malware forces the trusted application to load a malicious library named 'screen_retriever_plugin.dll,' which acts as the primary loader.

This loader incorporates an extensive watchdog subsystem specifically engineered to evade detection. It continuously scans for security and analysis environments, including debuggers, antivirus products, disassemblers, sandboxes, and instrumentation tools. Execution only proceeds when the DLL is launched by approved processes such as 'logiaipromptbuilder.exe' or 'tclloader.exe,' the latter likely being linked to internal testing.

To further avoid security monitoring, the malware removes usermode hooks placed within 'ntdll.dll' by endpoint protection solutions and disables Event Tracing for Windows (ETW) telemetry. It also creates multiple system fingerprints based on anti-debugging checks, virtualization detection, disk information, and operating system language settings. These fingerprints generate an environment hash used to decrypt the embedded payload.

The malware specifically validates whether the target system uses Brazilian Portuguese. Any indication of debugging or analysis results in an incorrect hash value, preventing successful payload decryption and halting execution entirely.

Banking Trojan Capabilities Designed for Full System Control

Once the anti-analysis checks are completed, the primary banking trojan is deployed. After confirming the system belongs to a Brazilian user, the malware establishes persistence through scheduled tasks and contacts an external command-and-control server using HTTP POST requests containing system information.

TCLBANKER includes self-update functionality and actively monitors browser activity by extracting URLs from the foreground browser's address bar through UI Automation techniques. The malware targets widely used browsers, including:

• Google Chrome
• Mozilla Firefox
• Microsoft Edge
• Brave
• Opera
• Vivaldi

When a monitored banking or cryptocurrency website is detected, TCLBANKER opens a WebSocket connection to a remote server and enters a command execution loop. This enables attackers to remotely perform a broad range of malicious activities, including system reconnaissance, clipboard manipulation, keylogging, screenshot capture, screen streaming, remote mouse and keyboard control, process management, and deployment of fake credential-harvesting overlays.

Advanced Social Engineering and Credential Theft

TCLBANKER relies heavily on social engineering to steal sensitive information. The malware uses a Windows Presentation Foundation (WPF)-based full-screen overlay framework capable of displaying highly convincing phishing interfaces. These overlays imitate legitimate banking prompts, fake Windows updates, progress bars, and voice-phishing waiting screens designed to manipulate victims into disclosing credentials.

Notably, the overlays are hidden from screen-capture utilities, making detection and forensic analysis significantly more difficult.

WhatsApp and Outlook Turned Into Malware Distribution Tools

Alongside the banking trojan, the loader deploys a worming component responsible for spreading the infection at scale through both WhatsApp Web and Microsoft Outlook. The WhatsApp module hijacks authenticated browser sessions and uses the open-source WPPConnect project to automate message delivery to victims' contacts. To improve targeting efficiency, the malware filters out group chats, broadcast lists, and non-Brazilian phone numbers.

The Outlook component functions as a phishing spambot by abusing the victim's installed Microsoft Outlook application to distribute malicious emails directly from the victim's own address. Because these messages originate from legitimate accounts and trusted infrastructure, traditional spam filters and reputation-based security systems struggle to detect the malicious activity.

The malware can reportedly spam up to 3,000 contacts using compromised WhatsApp sessions and Outlook accounts, dramatically increasing the campaign's reach while exploiting existing trust relationships between victims and their contacts.

Signs of an Expanding Threat Landscape

Researchers believe REF3076 is still in its early operational stages. Evidence such as debug logging paths, unfinished phishing infrastructure, and test process names suggests the operators are continuing to refine and expand the campaign.

TCLBANKER also highlights the rapid evolution occurring within the Brazilian banking malware ecosystem. Techniques once associated only with highly sophisticated threat actors are now appearing in commodity cybercrime operations. These capabilities include:

• Environment-based payload decryption
• Direct syscall generation
• Real-time WebSocket-driven social engineering
• Trusted-message propagation through hijacked communication platforms

By abusing legitimate WhatsApp and Outlook sessions, TCLBANKER effectively bypasses many conventional security defenses. The campaign demonstrates how modern banking trojans are increasingly blending advanced stealth, automation, and social engineering techniques to create highly resilient and scalable cybercriminal operations.