A classy Brazilian banking trojan named\u00a0TCLBANKER, deployed by way of a trojanized Logitech installer and able to hijacking victims\u2019 WhatsApp and Outlook accounts to unfold itself to new targets.<\/p>\n
The marketing campaign, tracked as\u00a0REF3076, delivers TCLBANKER by way of a malicious MSI installer bundled inside a ZIP file. The installer abuses a signed Logitech software, Logi AI Immediate Builder, by way of a DLL sideloading method<\/a>. <\/p>\n A malicious DLL named\u00a0screen_retriever_plugin.dll\u00a0masquerades as a reputable Flutter plugin and is mechanically loaded when the Logitech host software begins. As soon as loaded, two embedded .NET Reactor-protected payloads are deployed, a full banking trojan module and a worm module for self-propagation.<\/p>\n What makes TCLBANKER notably evasive is its environment-dependent payload-decryption mechanism. The loader generates a three-part setting fingerprint based mostly on anti-debugging checks, system {hardware} data, and language settings.<\/p>\n If the system is recognized as a sandbox or evaluation setting, the payload fails to decrypt, and execution stops silently. <\/p>\n The malware turns off user-mode ETW telemetry by patching\u00a0EtwEventWrite\u00a0with a basic\u00a0xor eax, eax; ret\u00a0instruction, and generates direct syscall trampolines to bypass safety hooks, as reported by Elastic<\/a>.<\/p>\n A complete watchdog subsystem runs all through all the an infection lifecycle, actively scanning for over a dozen evaluation instruments, together with x64dbg, Ghidra, dnSpy, IDA Professional, Course of Hacker, Frida, and CheatEngine. If any of those instruments are detected, the malware terminates execution instantly.<\/p>\n The banking module targets solely Brazilian victims and requires at the very least 2 geofencing checks to match Brazil, together with area code, time zone, system locale, and keyboard structure.<\/p>\n Each second, the malware screens the sufferer\u2019s energetic browser deal with bar utilizing Home windows UI Automation throughout Chrome, Firefox, Edge, Courageous, Opera, and Vivaldi. It checks the URL in opposition to an encrypted checklist of\u00a059 Brazilian banking, fintech, and cryptocurrency domains. <\/p>\n When a match is detected, a WebSocket C2 session opens to\u00a0wss:\/\/mxtestacionamentos[.]com\/ws, and the operator positive factors full distant management of the contaminated machine.<\/p>\n A WPF-based full-screen overlay framework is the malware\u2019s most alarming functionality. When activated, it covers each monitor with a borderless, topmost window that stops the window from being closed till the operator turns it off. <\/p>\n The overlay is invisible to screen-capture instruments due to\u00a0WDA_EXCLUDEFROMCAPTURE, which means the sufferer can’t search assist by way of screenshots. Constructed-in UI modules embrace a credential-harvesting immediate with Brazilian cellphone quantity masking, a faux Home windows Replace progress display screen, and a vishing wait display screen that retains victims occupied. <\/p>\n On the similar time, fraudsters name them immediately, and a \u201ccutout overlay\u201d that exposes an actual software window throughout the fraudulent interface to make social engineering extra convincing.<\/p>\n The second payload,\u00a0Tcl.WppBot\u00a0is a dual-channel spam worm. The WhatsApp bot scans put in Chromium-based browsers <\/a>for energetic WhatsApp Internet periods by in search of the applying\u2019s LevelDB or IndexedDB listing in every browser\u2019s profile. <\/p>\n It clones the profile into a short lived listing, launches a headless Chromium occasion by way of Selenium WebDriver, injects WPPConnect JavaScript to bypass bot detection, harvests the sufferer\u2019s contacts, and silently sends phishing messages, together with the TCLBANKER installer, to all Brazilian contacts with out the sufferer\u2019s data.<\/p>\n The Outlook bot connects to the sufferer\u2019s put in Microsoft Outlook<\/a> by way of COM interop, harvests e mail contacts from the Contacts folder and the inbox message historical past. Then it sends phishing emails from the sufferer\u2019s personal e mail account. <\/p>\n Emails are despatched with the topic line\u00a0\u201cNFe dispon\u00edvel para impress\u00e3o\u201d<\/em>\u00a0(Digital Bill Obtainable for Printing), linking to a phishing area impersonating a Brazilian ERP platform. As a result of these emails originate from trusted, reputable accounts, they’re extremely more likely to bypass conventional e mail safety filters.<\/p>\n All C2 and payload supply infrastructure is hosted beneath a single Cloudflare Staff account (ef971a42.employees[.]dev), permitting the operators to rotate infrastructure quickly. <\/p>\n Developer artifacts, together with debug logging paths (C:temptcl-debug.txt), check course of names, and an incomplete phishing website nonetheless displaying a upkeep web page, counsel\u00a0that REF3076 is in early operational phases and that the marketing campaign scope is more likely to develop. <\/p>\n Researchers hyperlink TCLBANKER to the beforehand tracked MAVERICK\/SORVEPOTEL malware household based mostly on shared infrastructure and code patterns.<\/p>\n IoC<\/strong><\/p>\n Observe:<\/strong> IP addresses and domains are deliberately defanged (e.g., [.]) to forestall unintentional decision or hyperlinking. Re-fang solely inside managed risk intelligence platforms similar to MISP, VirusTotal, or your SIEM.<\/em><\/p>\n Comply with us on\u00a0Google Information<\/a>,\u00a0LinkedIn<\/a>, and\u00a0X<\/a>\u00a0to Get On the spot Updates and Set GBH as a Most popular Supply in\u00a0Google<\/a>.<\/strong><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":" A classy Brazilian banking trojan named\u00a0TCLBANKER, deployed by way of a trojanized Logitech installer and able to hijacking victims\u2019 WhatsApp and Outlook accounts to unfold itself to new targets. The marketing campaign, tracked as\u00a0REF3076, delivers TCLBANKER by way of a malicious MSI installer bundled inside a ZIP file. The installer abuses a signed Logitech software, […]<\/p>\n","protected":false},"author":2,"featured_media":14615,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[768,145,201,5384,216,953,9019,3262,5394],"class_list":["post-14613","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-active","tag-attacks","tag-features","tag-leverages","tag-malware","tag-outlook","tag-tclbanker","tag-whatsapp","tag-worm"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/14613","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14613"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/14613\/revisions"}],"predecessor-version":[{"id":14614,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/14613\/revisions\/14614"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/14615"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14613"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14613"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14613"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"File](\"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-24.png\")
TCLBANKER Malware Leverages WhatsApp and Outlook<\/strong><\/h2>\n
![\"
Encrypted](\"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-22-1024x303.png\")
![\"Zip](\"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-21.png\")
![\"Code](\"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/image-19-1024x616.png\")
\n\n
\n \nObservable<\/th>\n Sort<\/th>\n Title<\/th>\n Reference<\/th>\n<\/tr>\n<\/thead>\n \n 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626<\/td>\n SHA-256<\/td>\n screen_retriever_plugin.dll<\/td>\n TCLBanker loader element<\/td>\n<\/tr>\n \n 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059<\/td>\n SHA-256<\/td>\n screen_retriever_plugin.dll<\/td>\n TCLBanker loader element<\/td>\n<\/tr>\n \n 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40<\/td>\n SHA-256<\/td>\n screen_retriever_plugin.dll<\/td>\n TCLBanker loader element<\/td>\n<\/tr>\n \n 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394<\/td>\n SHA-256<\/td>\n XXL_21042026-181516.zip<\/td>\n TCLBanker preliminary ZIP file<\/td>\n<\/tr>\n \n campanha1-api.ef971a42[.]employees.dev<\/td>\n domain-name<\/td>\n \n TCLBanker C2<\/td>\n<\/tr>\n \n mxtestacionamentos[.]com<\/td>\n domain-name<\/td>\n \n TCLBanker C2<\/td>\n<\/tr>\n \n paperwork.ef971a42.employees[.]dev<\/td>\n domain-name<\/td>\n \n TCLBanker file server<\/td>\n<\/tr>\n \n arquivos-omie[.]com<\/td>\n domain-name<\/td>\n \n TCLBanker phishing web page (beneath improvement)<\/td>\n<\/tr>\n \n documentos-online[.]com<\/td>\n domain-name<\/td>\n \n TCLBanker phishing web page (beneath improvement)<\/td>\n<\/tr>\n \n afonsoferragista[.]com<\/td>\n domain-name<\/td>\n \n TCLBanker phishing web page (beneath improvement)<\/td>\n<\/tr>\n \n doccompartilhe[.]com<\/td>\n domain-name<\/td>\n \n TCLBanker phishing web page (beneath improvement)<\/td>\n<\/tr>\n \n recebamais[.]com<\/td>\n domain-name<\/td>\n \n TCLBanker phishing web page (beneath improvement)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n