TCLBanker self-spreading banking trojan

Malware Activity

First reported

08.05.2026 01:06

Last updated

08.05.2026 01:06

Happening score

H score 34

1 unique sources, 1 articles

Summary

Hide ▲

The TCLBanker trojan now combines trojanized installer delivery with self-spreading worm modules, widening access to 59 banking, fintech, and cryptocurrency platforms. It also uses infected WhatsApp and Outlook accounts to seed new victims, which increases propagation speed and account abuse risk. Its anti-analysis protections and credential-theft features make the malware more difficult to inspect and more dangerous for impacted users.

Related Happenings

AI chatbot cryptojacking campaign targeting high-performance GPU users

Campaign

First: 27.05.2026 10:45 Last: 27.05.2026 10:45 Sources 1

About this happening: An active **cryptojacking campaign** is using **AI chatbot interactions** and **SEO-poisoned download sites** to deliver mining malware, expanding the reach of malicious downloads...

Open Happening

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity

First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Open Happening

CloudZ RAT Pheno Microsoft Phone Link credential-theft activity

Malware Activity

First: 05.05.2026 13:03 Last: 05.05.2026 13:03 Sources 1

About this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...

Open Happening

ClockRemoval.ps1 antivirus-disabling malware activity linked to Dragon Boss Solutions LLC

Malware Activity

First: 15.04.2026 17:40 Last: 15.04.2026 17:40 Sources 1

About this happening: A signed software operation linked to **Dragon Boss Solutions LLC** was observed using **ClockRemoval.ps1** to disable antivirus on **more than 23,000 endpoints worldwide**, raisi...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign

First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Timeline

08.05.2026 01:06 2 articles · 19d ago

TCLBanker disclosed as a new self-spreading banking trojan

Initial Disclosure
Elastic Security Labs disclosed TCLBanker, a new banking trojan that targets 59 banking, fintech, and cryptocurrency platforms and infects Windows systems through a trojanized MSI installer for Logitech AI Prompt Builder delivered via DLL side-loading. The malware is focused on Brazil, includes self-spreading worm modules for WhatsApp and Microsoft Outlook, and adds credential theft, remote control, overlay-based phishing, and anti-analysis defenses.
Show sources

New TCLBanker malware self-spreads over WhatsApp and Outlook — www.bleepingcomputer.com — 08.05.2026 01:06

New TCLBanker malware self-spreads over WhatsApp and Outlook — www.bleepingcomputer.com — 08.05.2026 01:06
Open in new tab

Summary

Related Happenings

AI chatbot cryptojacking campaign targeting high-performance GPU users

TCLBANKER banking trojan activity targeting 59 financial platforms

CloudZ RAT Pheno Microsoft Phone Link credential-theft activity

ClockRemoval.ps1 antivirus-disabling malware activity linked to Dragon Boss Solutions LLC

OAuth device-code phishing campaign targeting SaaS accounts

Timeline

TCLBanker disclosed as a new self-spreading banking trojan