Cybersecurity researchers have uncovered a sophisticated new threat targeting the financial sector, as a Brazilian banking trojan dubbed TCLBanker banking Trojan has emerged with the capability to compromise 59 different banking, fintech, and cryptocurrency platforms. The malware, which leverages a complex infection chain to bypass traditional security measures, is designed to steal sensitive financial credentials and facilitate unauthorized transactions.
The campaign is currently being tracked by Elastic Security Labs under the identifier REF3076. According to the researchers, the malware is not an entirely new creation but is assessed to be a major update of a previous threat known as Maverick. This evolution indicates a persistent effort by threat actors to refine their tools to evade modern endpoint detection and response (EDR) systems.
What makes this particular threat particularly dangerous is its method of propagation. The TCLBanker banking Trojan utilizes a worm component called SORVEPOTEL, which allows it to spread rapidly through WhatsApp Web and Microsoft Outlook. By hijacking a victim’s contact list, the malware can send malicious links or files to trusted associates, significantly increasing the likelihood that new users will trust and execute the payload.
The activity has been attributed to a threat cluster that Trend Micro identifies as Water Saci. This group is known for developing highly specialized malware tailored to the Brazilian financial landscape, though the broad nature of the targeted apps suggests a potential for wider impact across global fintech services.
The Architecture of the Attack: Abusing Trusted Software
The infection process begins with a deceptive delivery mechanism. The malware is typically bundled as a malicious MSI installer hidden inside a ZIP file. To avoid triggering antivirus alarms, the attackers employ a technique known as DLL side-loading, which tricks the operating system into loading a malicious library instead of a legitimate one.
In the case of TCLBanker, the attackers abuse a signed, legitimate program from Logitech called the Logi AI Prompt Builder. Because the Logitech executable is digitally signed and trusted by the system, it provides a “cloak” for the malware. When the program runs, We see forced to load a malicious DLL named screen_retriever_plugin.dll, which serves as the primary loader for the banking trojan.
DLL side-loading is a particularly effective strategy for modern malware because it doesn’t require the attacker to find a vulnerability in the software itself. Instead, it exploits the way Windows searches for and loads libraries. By placing a malicious DLL in the same folder as a trusted executable, the malware ensures it is executed with the same privileges as the legitimate application.
Evading Detection with the “Watchdog” Subsystem
Once the loader is active, TCLBanker deploys a “comprehensive watchdog subsystem” designed to ensure the malware remains undetected. This subsystem acts as a constant sentinel, scanning the victim’s system for any signs of security analysis. It specifically looks for the presence of sandboxes, debuggers, disassemblers, and instrumentation tools commonly used by security researchers to reverse-engineer malware.
The loader is programmed with strict execution conditions: the malicious DLL will only execute if it is loaded by either the official Logitech program (logiaipromptbuilder.exe) or a specific testing executable (tclloader.exe). If the malware detects it is being run in a virtual environment or by a security tool, it will likely terminate or remain dormant to avoid analysis.
the trojan employs advanced stealth techniques to blind security software. It removes “usermode hooks”—which are essentially monitoring points placed by endpoint security software—within the ntdll.dll system library. By replacing this library, the malware effectively cuts off the communication between the operating system and the antivirus software. It also disables Event Tracing for Windows (ETW) telemetry, ensuring that its activities are not logged in the system’s event trails.
The Impact on Financial Platforms and Cryptocurrency
The primary goal of the TCLBanker banking Trojan is the theft of financial assets. By targeting 59 different platforms, the attackers have cast a wide net that covers traditional retail banks, modern fintech apps, and cryptocurrency wallets. This versatility allows the malware to be effective regardless of whether a victim uses a legacy bank or a decentralized finance (DeFi) platform.
Once the trojan is active, it can employ various methods to steal data, such as overlay attacks—where a fake login screen is placed over a legitimate banking app—or keylogging to capture passwords and two-factor authentication (2FA) codes. The integration of the SORVEPOTEL worm means that a single infected device can potentially compromise dozens of other accounts in a matter of minutes via WhatsApp.
Key Technical Details of the TCLBanker Campaign
| Feature | Detail |
|---|---|
| Tracking ID | REF3076 (Elastic Security Labs) |
| Origin/Cluster | Brazilian / Water Saci |
| Propagation | WhatsApp Web & Microsoft Outlook (SORVEPOTEL worm) |
| Delivery Method | MSI installer in ZIP file |
| Exploit Technique | DLL side-loading via Logi AI Prompt Builder |
| Target Scope | 59 banking, fintech, and crypto platforms |
How to Protect Your Financial Data
Given the stealthy nature of the TCLBanker banking Trojan, traditional antivirus software may not always be sufficient, especially if the malware successfully disables system telemetry. However, users can take several proactive steps to mitigate the risk.
- Exercise Caution with Attachments: Never open ZIP files or MSI installers received via WhatsApp or email, even if they appear to come from a known contact. The SORVEPOTEL worm specifically exploits trust between friends and colleagues.
- Audit Installed Software: Be wary of unexpected software installations. If you see programs like “Logi AI Prompt Builder” on your system and you did not intentionally install them, treat it as a critical red flag.
- Enable Hardware-Based MFA: While some trojans can bypass SMS-based two-factor authentication, hardware security keys (like YubiKeys) are significantly harder for malware to intercept.
- Keep Systems Updated: Ensure that your operating system and all installed applications are updated to the latest versions to close potential security gaps that loaders might exploit.
- Monitor Account Activity: Regularly check your bank and cryptocurrency statements for small, unauthorized transactions, which attackers often use to “test” an account before attempting a larger theft.
For organizations, it is recommended to implement strict application whitelisting and monitor for unusual DLL loading patterns, particularly those involving signed binaries that are not part of the standard corporate image.
As the Water Saci cluster continues to evolve the Maverick lineage, security researchers are closely monitoring the campaign for new variants. The next critical checkpoint for the community will be the release of updated Indicators of Compromise (IOCs) from Elastic Security Labs and Trend Micro, which will allow security vendors to update their detection signatures to catch the latest versions of the SORVEPOTEL worm.
Do you use WhatsApp for business or financial communications? Share your thoughts on how we can better secure these platforms in the comments below.