Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

TCLBANKER is a newly documented Brazilian banking trojan that can hit 59 banking, fintech, and cryptocurrency platforms, increasing the risk of credential theft and remote control. The malware uses a ZIP-delivered MSI, DLL side-loading, and aggressive anti-analysis checks to hide its payload. It also spreads through WhatsApp Web and Microsoft Outlook, extending the infection beyond the first victim.

Related Happenings

Sefirah infostealer delivered through a malicious Hugging Face repository

Malware Activity
First: 09.05.2026 17:26 Last: 09.05.2026 17:26 Sources 1

About this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...

Open Happening

TCLBanker self-spreading banking trojan

Malware Activity
First: 08.05.2026 01:06 Last: 08.05.2026 01:06 Sources 1

About this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...

Open Happening

ClockRemoval.ps1 antivirus-disabling malware activity linked to Dragon Boss Solutions LLC

Malware Activity
First: 15.04.2026 17:40 Last: 15.04.2026 17:40 Sources 1

About this happening: A signed software operation linked to **Dragon Boss Solutions LLC** was observed using **ClockRemoval.ps1** to disable antivirus on **more than 23,000 endpoints worldwide**, raisi...

Open Happening

Storm infostealer server-side decryption activity

Malware Activity
First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Open Happening

Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe

Campaign
First: 01.04.2026 15:36 Last: 01.04.2026 15:36 Sources 1

About this happening: **Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...

Open Happening

Timeline

  1. 08.05.2026 21:12 2 articles · 19d ago

    TCLBANKER malware disclosure

    Initial Disclosure

    Elastic Security Labs identified TCLBANKER as a previously undocumented Brazilian banking trojan targeting 59 banking, fintech, and cryptocurrency platforms. The malware chain uses a malicious MSI inside a ZIP file, abuses a signed Logitech program for DLL side-loading, and propagates through WhatsApp Web and Microsoft Outlook while focusing on Brazilian Portuguese systems.

    Show sources
    Open in new tab