Close Menu
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
What's Hot

Suspected Fraud in a Cryptocurrency Project—Exercise Extreme Caution Until an Official Statement Is Released

July 10, 2026

Meta's Chief Data Officer Says Agentic Commerce is the "Next Tier of Business"

July 10, 2026

Massive $491M USDT Transfer to Aave Sparks DeFi Liquidity Speculation

July 10, 2026
Facebook X (Twitter) Instagram
Recession Profit AlertsRecession Profit Alerts
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
Recession Profit AlertsRecession Profit Alerts
Home»Security»TCLBANKER trojan spreads through victims’ own messaging accounts
Security

TCLBANKER trojan spreads through victims’ own messaging accounts

May 12, 2026No Comments4 Mins Read

Security researchers from Elastic Security Labs have discovered a new Brazilian banking trojan named TCLBANKER. When it infects a machine, it takes over the victim’s WhatsApp and Outlook accounts and sends phishing messages to their contacts.

The campaign is labeled as REF3076. Based on common infrastructure and code patterns, researchers have linked the TCLBANKER to the previously known malware family MAVERICK/SORVEPOTEL.

Trojan spreads through an AI prompt builder

Elastic Security Labs says the malware comes as a trojanized installer for Logi AI Prompt Builder, which is a real signed Logitech app. The installer comes in a ZIP file and uses DLL sideloading to run a malicious file that looks like a Flutter plugin.

Once loaded, the trojan deploys two .NET Reactor-protected payloads. One is a banking module and the other is a worm module built for self-propagation.

After loading, the trojan deploys two .NET Reactor-protected payloads. One is a banking module, and the other is a worm module that can spread itself.

File directory contents showing malicious files. Source: Elastic Security Labs.

Anti-analysis checks block researchers

There are three parts that make up the fingerprint that TCLBANKER’s loader builds.

  1. Anti-debugging checks.
  2. Disk and memory information.
  3. Language settings.

The fingerprint generates the decryption keys for the embedded payload. If something seems wrong, such as a debugger attached, a sandbox environment, or low disk space, the decryption produces garbage, and the malware stops silently.

The loader also patches Windows telemetry functions to blind security tools. It creates direct syscall trampolines to avoid user-mode hooks.

A watchdog is always looking for analysis software such as x64dbg, Ghidra, dnSpy, IDA Pro, Process Hacker, and Frida. If any of these tools is found, the payload stops working.

See also  Crypto losses turn deadly as man accused of poisoning business partner with pesticide-laced coffee

Banking module activates only on Brazilian computers

The banking module activates on computers located in Brazil. There’s a minimum of two geofencing checks that look at region code, time zone, system locale, and keyboard layout.

The malware reads the active browser URL bar using Windows UI Automation. It works across many browsers like Chrome, Firefox, Edge, Brave, Opera, and Vivaldi, and it monitors active URL/URLs every second.

The malware then matches the URL to a list of 59 encrypted URLs. This list has links to crypto, banks, and fintech websites in Brazil.

When a victim visits one of the targeted websites, the malware opens a WebSocket to a remote server. The hacker then gets full remote control of the computer.

Once access is granted, the hacker uses an overlay that puts a borderless, topmost window over every monitor. The overlay is not visible in screenshots, and victims can’t share what they see with others.

The hacker’s overlay has three templates:

  • A credential harvesting form with a fake Brazilian phone number.
  • A Fake Windows Update progress screen.
  • A “vishing wait screen” that keeps victims busy.

Malicious bots spread the Brazilian trojan on WhatsApp and Outlook

The second payload spreads TCLBANKER to new victims through two ways:

  • WhatsApp web app.
  • Outlook inboxes/accounts.

The WhatsApp bot looks for active WhatsApp Web sessions in Chromium browsers by locating the app’s local database directories.

The bot clones the browser profile, then launches a headless Chromium instance. “A headless browser is a web browser without a graphical user interface,” according to Wikipedia. It then injects JavaScript to bypass bot detection and harvests the victim’s contacts.

See also  Coinbase launches AI agent accounts that can trade and spend on your behalf

At the end, the bot sends phishing messages containing the TCLBANKER installer to the victim’s contacts.

The Outlook bot connects through Component Object Model (COM) automation. COM automation lets a program control another program.

The bot takes email addresses from the Contacts folder and the inbox history, then it sends phishing emails using the victim’s account.

The emails have the subject line “NFe disponível para impressão,” which means in English, “Electronic Invoice Available for Printing”. It links to a phishing domain impersonating a Brazilian ERP platform.

Since the emails are sent from real accounts, they are more likely to bypass spam filters.

Last week, Cryptopolitan reported that researchers identified four Android trojans targeting +800 crypto, banking, and social media apps with fake login overlays.

In another report, a malware called StepDrainer has been draining wallets across +20 blockchain networks using fake Web3 wallet connection interfaces.

Source link

accounts Messaging Spreads TCLBANKER Trojan victims

Related Posts

Suspected Fraud in a Cryptocurrency Project—Exercise Extreme Caution Until an Official Statement Is Released

July 10, 2026

Why Bitcoin ATMs are becoming the last stop in America’s $11B crypto scam pipeline

July 10, 2026

Odyssey Stealer Hits 100+ Countries, Targets 16+ Crypto Wallet Apps on macOS

July 10, 2026

Summer.fi Hacker Moves $1.35M Into Tornado Cash

July 10, 2026
Top Posts

The Pivotal Move to Monetize All V3 Pools and Fuel an 8-Chain Expansion

February 19, 2026

Here’s When Bitcoin (BTC) Could Reach All-Time Highs, According to Crypto Analyst Jason Pizzino

October 30, 2023

How Cloud-Based Email Solutions — and Web3 — Can Change Your Business Marketing Efforts

May 4, 2026

Type above and press Enter to search. Press Esc to cancel.