TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
Summary
Hide ▲
Show ▼
TCLBANKER is a newly documented Brazilian banking trojan that can hit 59 banking, fintech, and cryptocurrency platforms, increasing the risk of credential theft and remote control. The malware uses a ZIP-delivered MSI, DLL side-loading, and aggressive anti-analysis checks to hide its payload. It also spreads through WhatsApp Web and Microsoft Outlook, extending the infection beyond the first victim.
Related Happenings
Edgecution malicious Microsoft Edge extension backdoor activity
Malware Activity
H score23
First: 24.06.2026 23:58
Last: 24.06.2026 23:58
Sources 1
About this happening:
The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware ActivityAbout this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
**VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityAbout this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware Activity
H score16
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware ActivityAbout this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
TCLBanker self-spreading banking trojan
Malware Activity
H score31
First: 08.05.2026 01:06
Last: 08.05.2026 01:06
Sources 1
About this happening:
The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
TCLBanker self-spreading banking trojan
Malware ActivityAbout this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
Timeline
-
08.05.2026 21:12 2 articles · 2mo ago
TCLBANKER malware disclosure
Initial DisclosureElastic Security Labs identified TCLBANKER as a previously undocumented Brazilian banking trojan targeting 59 banking, fintech, and cryptocurrency platforms. The malware chain uses a malicious MSI inside a ZIP file, abuses a signed Logitech program for DLL side-loading, and propagates through WhatsApp Web and Microsoft Outlook while focusing on Brazilian Portuguese systems.
Show sources
- TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms — thehackernews.com — 08.05.2026 21:12
- TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms — thehackernews.com — 08.05.2026 21:12