Brazilian TCLBANKER malware evolves Maverick lineage with dual-worm propagation and advanced evasion

Timeline

1. 08.05.2026 21:12 1 articles · 7h ago

   TCLBANKER banking trojan campaign expands Maverick lineage with dual-worm propagation and advanced evasion

   A new banking trojan, TCLBANKER, has been observed targeting 59 financial platforms using a loader that deploys both a banking trojan and a worm module. The malware abuses DLL side-loading against a signed Logitech application to bypass security controls and uses environment-gated payload decryption based on anti-debugging, anti-virtualization, and language checks. The banking trojan establishes persistence, exfiltrates system information, and communicates via WebSocket for command and control, enabling a range of malicious activities including credential harvesting via fake overlays. Concurrently, the worm component propagates through hijacked WhatsApp Web sessions and compromised Outlook accounts, bypassing spam filters and enhancing delivery efficacy.

   Show sources

   • TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms — thehackernews.com — 08.05.2026 21:12

   Open in new tab

Information Snippets

• TCLBANKER targets 59 financial platforms including banks, fintechs, and cryptocurrency services primarily in Brazil, as indicated by system language checks for Brazilian Portuguese.

  First reported: 08.05.2026 21:12
  1 source, 1 article
  Show sources

  • TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms — thehackernews.com — 08.05.2026 21:12

• The malware is delivered via a malicious MSI installer bundled in a ZIP file, abusing a signed Logitech program (Logi AI Prompt Builder) to execute a malicious DLL (screen_retriever_plugin.dll) through DLL side-loading.

  First reported: 08.05.2026 21:12
  1 source, 1 article
  Show sources

  • TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms — thehackernews.com — 08.05.2026 21:12

• The loader removes usermode hooks from ntdll.dll and disables ETW telemetry, and only executes if loaded by logiaipromptbuilder.exe or tclloader.exe, using environment fingerprints to decrypt embedded payloads.

  First reported: 08.05.2026 21:12
  1 source, 1 article
  Show sources

  • TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms — thehackernews.com — 08.05.2026 21:12

• TCLBANKER establishes persistence via a scheduled task and exfiltrates system information via HTTP POST before initiating a WebSocket connection to a remote server for command and control.

  First reported: 08.05.2026 21:12
  1 source, 1 article
  Show sources

  • TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms — thehackernews.com — 08.05.2026 21:12

• The malware uses a WPF-based full-screen overlay framework to serve fake credential-stealing overlays, vishing wait screens, bogus progress bars, and fake Windows Updates while evading screen capture tools.

  First reported: 08.05.2026 21:12
  1 source, 1 article
  Show sources

  • TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms — thehackernews.com — 08.05.2026 21:12

• The worm component propagates via two methods: a WhatsApp Web worm using WPPConnect to send messages from hijacked authenticated sessions, and an Outlook email spambot that abuses the victim’s Outlook client to send phishing emails from the victim’s address.

  First reported: 08.05.2026 21:12
  1 source, 1 article
  Show sources

  • TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms — thehackernews.com — 08.05.2026 21:12

• TCLBANKER is linked to the Maverick malware family and attributed to the Water Saci threat cluster, with its propagation worm SORVEPOTEL previously used in similar campaigns.

  First reported: 08.05.2026 21:12
  1 source, 1 article
  Show sources

  • TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms — thehackernews.com — 08.05.2026 21:12