TCLBanker Banking Trojan Self-Spreads via WhatsApp and Outlook

TCLBanker is a newly discovered banking trojan targeting 59 banking, fintech, and cryptocurrency platforms. Discovered by Elastic Security Labs in May 2026, TCLBanker is believed to be an evolution of the Maverick/Sorvepotel malware family. The initial infection vector involves a trojanized MSI installer for Logitech AI Prompt Builder. Once installed, TCLBanker exhibits worm-like behavior, self-spreading through WhatsApp and Microsoft Outlook to propagate to new victims. While currently focused on Brazilian targets, its potential to expand geographically poses a significant risk. TCLBanker is heavily protected against analysis, actively monitoring for debugging and analysis tools. The malware leverages DLL side-loading within the legitimate Logitech application to evade initial detection.

Attack Chain

1. The victim downloads and executes a trojanized MSI installer for Logitech AI Prompt Builder.
2. The installer performs DLL side-loading to inject the TCLBanker malware into the legitimate Logitech application process.
3. TCLBanker monitors the browser address bar using Windows UI Automation APIs, searching for URLs matching its 59 targeted financial platforms.
4. When a targeted website is accessed, TCLBanker establishes a WebSocket session with its command-and-control (C2) server, sending victim and system information.
5. The C2 operator gains remote control capabilities, including live screen streaming, screenshot capturing, keylogging, clipboard hijacking, shell command execution, and file system access.
6. TCLBanker uses a WPF-based overlay system to display fake credential prompts, PIN keypads, and other deceptive overlays to steal sensitive information.
7. The malware hijacks the victim’s WhatsApp account by searching for authenticated WhatsApp Web IndexedDB data in Chromium browser profiles and launching a hidden Chromium instance to send spam messages to contacts, filtering for Brazilian numbers.
8. TCLBanker abuses Microsoft Outlook through COM automation to harvest contacts and sender addresses, sending phishing emails from the victim’s email account to further spread the malware.

Impact

TCLBanker enables attackers to steal banking credentials, cryptocurrency wallet information, and other sensitive data from victims. It also allows for remote control of infected systems, enabling attackers to perform unauthorized actions, potentially leading to financial loss, identity theft, and further propagation of the malware. The self-spreading capabilities via WhatsApp and Outlook significantly increase the malware’s reach, potentially impacting a large number of individuals and organizations, especially those operating in Brazil.

Recommendation

• Monitor process creations for suspicious instances of msiexec.exe installing software from untrusted sources (see Sigma rule: “Detect Suspicious MSI Installer Execution”).
• Enable Sysmon process creation logging to detect DLL side-loading activity from legitimate applications like the Logitech AI Prompt Builder process, potentially indicating TCLBanker infection.
• Monitor network connections for WebSocket traffic originating from systems running legitimate applications that should not be communicating over websockets to external addresses.
• Implement network detections for outbound email traffic containing suspicious attachments or links originating from user accounts that have not recently logged into Outlook (see Sigma rule “Detect Outlook COM Hijacking”).