{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/banking-trojan/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AI Prompt Builder","Microsoft Outlook","Chromium browser","WhatsApp Web"],"_cs_severities":["high"],"_cs_tags":["banking-trojan","malware","worm","self-spreading","brazil","logitech"],"_cs_type":"advisory","_cs_vendors":["Logitech","Microsoft","Chromium","Elastic"],"content_html":"\u003cp\u003eTCLBanker is a newly discovered banking trojan targeting 59 banking, fintech, and cryptocurrency platforms. Discovered by Elastic Security Labs in May 2026, TCLBanker is believed to be an evolution of the Maverick/Sorvepotel malware family. The initial infection vector involves a trojanized MSI installer for Logitech AI Prompt Builder. Once installed, TCLBanker exhibits worm-like behavior, self-spreading through WhatsApp and Microsoft Outlook to propagate to new victims. While currently focused on Brazilian targets, its potential to expand geographically poses a significant risk. TCLBanker is heavily protected against analysis, actively monitoring for debugging and analysis tools. The malware leverages DLL side-loading within the legitimate Logitech application to evade initial detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim downloads and executes a trojanized MSI installer for Logitech AI Prompt Builder.\u003c/li\u003e\n\u003cli\u003eThe installer performs DLL side-loading to inject the TCLBanker malware into the legitimate Logitech application process.\u003c/li\u003e\n\u003cli\u003eTCLBanker monitors the browser address bar using Windows UI Automation APIs, searching for URLs matching its 59 targeted financial platforms.\u003c/li\u003e\n\u003cli\u003eWhen a targeted website is accessed, TCLBanker establishes a WebSocket session with its command-and-control (C2) server, sending victim and system information.\u003c/li\u003e\n\u003cli\u003eThe C2 operator gains remote control capabilities, including live screen streaming, screenshot capturing, keylogging, clipboard hijacking, shell command execution, and file system access.\u003c/li\u003e\n\u003cli\u003eTCLBanker uses a WPF-based overlay system to display fake credential prompts, PIN keypads, and other deceptive overlays to steal sensitive information.\u003c/li\u003e\n\u003cli\u003eThe malware hijacks the victim\u0026rsquo;s WhatsApp account by searching for authenticated WhatsApp Web IndexedDB data in Chromium browser profiles and launching a hidden Chromium instance to send spam messages to contacts, filtering for Brazilian numbers.\u003c/li\u003e\n\u003cli\u003eTCLBanker abuses Microsoft Outlook through COM automation to harvest contacts and sender addresses, sending phishing emails from the victim\u0026rsquo;s email account to further spread the malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eTCLBanker enables attackers to steal banking credentials, cryptocurrency wallet information, and other sensitive data from victims. It also allows for remote control of infected systems, enabling attackers to perform unauthorized actions, potentially leading to financial loss, identity theft, and further propagation of the malware. The self-spreading capabilities via WhatsApp and Outlook significantly increase the malware\u0026rsquo;s reach, potentially impacting a large number of individuals and organizations, especially those operating in Brazil.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for suspicious instances of \u003ccode\u003emsiexec.exe\u003c/code\u003e installing software from untrusted sources (see Sigma rule: \u0026ldquo;Detect Suspicious MSI Installer Execution\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to detect DLL side-loading activity from legitimate applications like the Logitech AI Prompt Builder process, potentially indicating TCLBanker infection.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for WebSocket traffic originating from systems running legitimate applications that should not be communicating over websockets to external addresses.\u003c/li\u003e\n\u003cli\u003eImplement network detections for outbound email traffic containing suspicious attachments or links originating from user accounts that have not recently logged into Outlook (see Sigma rule \u0026ldquo;Detect Outlook COM Hijacking\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T12:00:00Z","date_published":"2026-05-08T12:00:00Z","id":"/briefs/2026-05-tclbanker/","summary":"TCLBanker is a banking trojan targeting 59 financial platforms, spreading via trojanized Logitech AI Prompt Builder installers and worm modules for WhatsApp and Outlook, enabling remote control and data theft.","title":"TCLBanker Banking Trojan Self-Spreads via WhatsApp and Outlook","url":"https://feed.craftedsignal.io/briefs/2026-05-tclbanker/"}],"language":"en","title":"CraftedSignal Threat Feed — Banking-Trojan","version":"https://jsonfeed.org/version/1.1"}