TCLBanker Weaponizes WhatsApp and Outlook to Target 59 Financial Platforms

In May 2026, Elastic Security Labs published an analysis of TCLBanker, a banking trojan that expands the Maverick/Sorvepotel family's arsenal with worm modules for WhatsApp Web and Microsoft Outlook. Tracked as REF3076, the malware targets 59 financial platforms—including banks, fintech firms, and cryptocurrency services—spreading autonomously by exploiting the trust inherent in already-authenticated personal communications.

The convergence of advanced anti-analysis techniques and the exploitation of trusted channels marks a significant maturation in Brazilian-origin crimeware.

Key Takeaways

Infection Chain: MSI Exploitation and DLL Side-Loading

The initial attack vector is a ZIP archive containing a trojanized MSI installer. The package abuses the legitimate, signed Logitech Logi AI Prompt Builder application to perform side-loading of a malicious library. This mechanism does not exploit zero-day vulnerabilities but instead manipulates a trusted installer to trick the system into loading unauthorized code.

The loaded DLL, identified as screen_retriever_plugin.dll, acts as a loader. It includes a watchdog subsystem featuring anti-debug and anti-analysis capabilities, alongside the removal of EDR/ETW hooks. This allows the malware to blind endpoint defenses before the primary payload is even exposed.

The loader does not decrypt the payload immediately. Instead, it masks suspicious calls and delays activation until environmental checks are passed, ensuring that static analysis alone is insufficient to identify the threat.

Triple-Fingerprint Payload Locking

The payload is encrypted, and its decryption depends on an environment hash generated through three distinct fingerprints. The first detects anti-debug tools and virtualized environments; the second harvests disk-specific metadata; and the third verifies the system language.

The malware specifically checks for Brazilian Portuguese and analyzes the time zone, keyboard layout, and locale. If any of these three checks fail to match the target profile, the payload remains encrypted and execution halts. This effectively neutralizes analysis conducted in foreign sandbox environments.

To observe the malware's final behavior, researchers must either faithfully replicate a Brazilian environment or resort to manual memory dumping from an infected device.

"TCLBANKER reflects a broader maturation happening across the Brazilian banking trojan ecosystem. Techniques that were once the hallmark of more sophisticated threat actors: environment-gated payload decryption, direct syscall generation, real-time social engineering orchestration over WebSocket, are now being packaged into commodity crimeware." - Elastic Security Labs, via The Hacker News

Weaponizing Trust: Propagation via WhatsApp and Outlook

TCLBanker integrates a worm module for WhatsApp Web that extracts authenticated sessions from Chromium profiles via IndexedDB data. Utilizing the open-source WPPConnect project, it sends phishing messages while specifically filtering out groups, broadcast lists, and non-Brazilian numbers. This theft occurs locally on the compromised device without directly attacking WhatsApp’s servers.

Simultaneously, a dedicated Microsoft Outlook module abuses COM automation to send phishing emails to the victim's contacts. This approach bypasses traditional anti-spam filters by leveraging the sender's established reputation. Because the email originates from a genuine, known address, it remains largely invisible to standard mail scanners.

The combination of these two channels transforms every infected host into a launchpad for subsequent campaigns. The malware's reach multiplies without the need for dedicated spam infrastructure or server-side compromises.

Real-Time Social Engineering: WPF Overlays and WebSockets

The banking module monitors the browser's address bar every second using the Windows UI Automation API. Upon detecting one of the 59 target institutions, it establishes a WebSocket session with the command-and-control (C2) server for real-time remote orchestration.

Using a full-screen WPF overlay system, the malware can display fake credential prompts, PIN pads, wait screens, fraudulent Windows Update windows, and "cutout masking." During active sessions, the Task Manager process is terminated to hide the intrusion.

Cutout masking is particularly deceptive, showing only manipulated portions of the legitimate interface. The user believes they are interacting with an official site, while their financial data is harvested under the attacker's supervision via WebSocket.

Defense and Mitigation Strategies

• Mitigate DLL Side-Loading: Monitor for unsolicited MSI installers and enforce AppLocker or Windows Defender Application Control (WDAC) policies to prevent unauthorized libraries from loading within the directories of signed software like Logitech. Ensure DLLs are only loaded from trusted paths.
• Isolate Banking Browsers: Use dedicated browser profiles with restricted access to extensions and session data for WhatsApp Web to reduce the risk of IndexedDB theft by malware residing on the OS.
• Detect COM Automation: Configure EDR solutions to flag anomalous behavior in Microsoft Outlook, such as programmatic email distribution to large numbers of contacts without direct user interaction, especially when recipients are in the local address book.
• Out-of-Band Verification: Train users to verify credential or PIN requests through a second channel, even if masked by wait screens, progress bars, or urgent Windows updates during a banking session.

The emergence of TCLBanker demonstrates the thinning line between commodity crimeware and targeted operations. When a trojan adopts direct syscalls, environment-gated decryption, and WebSocket-orchestrated overlays, reputation-based defense models collapse. The perimeter is no longer the corporate network, but rather a trusted chat thread or the inbox of a compromised colleague.

Frequently Asked Questions

How does TCLBanker differ from traditional Brazilian banking trojans?

Unlike its commodity predecessors, TCLBanker combines environment-gated decryption, direct syscalls, and WebSocket-orchestrated WPF overlays. The addition of autonomous worm modules for WhatsApp Web and Outlook evolves the malware from a simple infostealer into a self-propagating platform. Elastic Security Labs notes that this convergence of APT-style techniques in commodity crimeware signals a shift in the ecosystem's maturity.

Why is the use of WhatsApp and Outlook more dangerous than traditional phishing?

The malware does not send messages from spoofed addresses; it hijacks the victim's own authenticated sessions and accounts. This erodes interpersonal trust and bypasses reputation-based defenses and anti-spam gateways. Messages arrive from a known contact, breaking the core verification principles of many corporate security policies.

Does the abuse of Logitech software imply a vendor compromise?

No. The mechanism relies on DLL side-loading using a legitimate, signed application, not a supply chain compromise of Logitech. The original software is used as a carrier and remains unaltered by the vendor. The technique exploits the operating system's trust in signed binaries to load a malicious library that shares the name of a legitimate dependency.

Information has been verified against cited sources and is current as of the date of publication.

Sources

• https://www.bleepingcomputer.com/news/security/new-tclbanker-malware-self-spreads-over-whatsapp-and-outlook/
• https://thehackernews.com/2026/05/tclbanker-banking-trojan-targets.html