Find notable cyber news and cases, enriched with sources, timelines, and signals.

TCLBanker self-spreading banking trojan

Malware Activity
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

The TCLBanker trojan now combines trojanized installer delivery with self-spreading worm modules, widening access to 59 banking, fintech, and cryptocurrency platforms. It also uses infected WhatsApp and Outlook accounts to seed new victims, which increases propagation speed and account abuse risk. Its anti-analysis protections and credential-theft features make the malware more difficult to inspect and more dangerous for impacted users.

Related Happenings

WhatsApp VBScript phishing campaign targeting users in multiple countries

Campaign
H score43 First: 23.06.2026 01:42 Last: 23.06.2026 01:42 Sources 1

About this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...

AI chatbot cryptojacking campaign targeting high-performance GPU users

Campaign
H score51 First: 27.05.2026 10:45 Last: 27.05.2026 10:45 Sources 1

About this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
H score20 First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

CloudZ RAT Pheno Microsoft Phone Link credential-theft activity

Malware Activity
H score24 First: 05.05.2026 13:03 Last: 05.05.2026 13:03 Sources 1

About this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...

ClockRemoval.ps1 antivirus-disabling malware activity linked to Dragon Boss Solutions LLC

Malware Activity
H score25 First: 15.04.2026 17:40 Last: 15.04.2026 17:40 Sources 1

About this happening: A signed software operation linked to **Dragon Boss Solutions LLC** was observed using **ClockRemoval.ps1** to disable antivirus on **more than 23,000 endpoints worldwide**, raisi...

Timeline

  1. 08.05.2026 01:06 2 articles · 2mo ago

    TCLBanker disclosed as a new self-spreading banking trojan

    Initial Disclosure

    Elastic Security Labs disclosed TCLBanker, a new banking trojan that targets 59 banking, fintech, and cryptocurrency platforms and infects Windows systems through a trojanized MSI installer for Logitech AI Prompt Builder delivered via DLL side-loading. The malware is focused on Brazil, includes self-spreading worm modules for WhatsApp and Microsoft Outlook, and adds credential theft, remote control, overlay-based phishing, and anti-analysis defenses.

    Show sources