A sophisticated Brazilian banking trojan named TCLBANKER, deployed through a trojanized Logitech installer and capable of hijacking victims’ WhatsApp and Outlook accounts to spread itself to new targets.
The campaign, tracked as REF3076, delivers TCLBANKER through a malicious MSI installer bundled inside a ZIP file. The installer abuses a signed Logitech application, Logi AI Prompt Builder, via a DLL sideloading technique.
A malicious DLL named screen_retriever_plugin.dll masquerades as a legitimate Flutter plugin and is automatically loaded when the Logitech host application starts. Once loaded, two embedded .NET Reactor-protected payloads are deployed, a full banking trojan module and a worm module for self-propagation.
TCLBANKER Malware Leverages WhatsApp and Outlook
What makes TCLBANKER particularly evasive is its environment-dependent payload-decryption mechanism. The loader generates a three-part environment fingerprint based on anti-debugging checks, system hardware information, and language settings.
If the system is identified as a sandbox or analysis environment, the payload fails to decrypt, and execution stops silently.
The malware turns off user-mode ETW telemetry by patching EtwEventWrite with a classic xor eax, eax; ret instruction, and generates direct syscall trampolines to bypass security hooks, as reported by Elastic.
A comprehensive watchdog subsystem runs throughout the entire infection lifecycle, actively scanning for over a dozen analysis tools, including x64dbg, Ghidra, dnSpy, IDA Pro, Process Hacker, Frida, and CheatEngine. If any of these tools are detected, the malware terminates execution immediately.
The banking module targets exclusively Brazilian victims and requires at least 2 geofencing checks to match Brazil, including region code, time zone, system locale, and keyboard layout.
Every second, the malware monitors the victim’s active browser address bar using Windows UI Automation across Chrome, Firefox, Edge, Brave, Opera, and Vivaldi. It checks the URL against an encrypted list of 59 Brazilian banking, fintech, and cryptocurrency domains.
When a match is detected, a WebSocket C2 session opens to wss://mxtestacionamentos[.]com/ws, and the operator gains full remote control of the infected machine.
A WPF-based full-screen overlay framework is the malware’s most alarming capability. When activated, it covers every monitor with a borderless, topmost window that prevents the window from being closed until the operator turns it off.
The overlay is invisible to screen-capture tools thanks to WDA_EXCLUDEFROMCAPTURE, meaning the victim cannot seek help through screenshots. Built-in UI modules include a credential-harvesting prompt with Brazilian phone number masking, a fake Windows Update progress screen, and a vishing wait screen that keeps victims occupied.
At the same time, fraudsters call them directly, and a “cutout overlay” that exposes a real application window within the fraudulent interface to make social engineering more convincing.
The second payload, Tcl.WppBot is a dual-channel spam worm. The WhatsApp bot scans installed Chromium-based browsers for active WhatsApp Web sessions by looking for the application’s LevelDB or IndexedDB directory in each browser’s profile.
It clones the profile into a temporary directory, launches a headless Chromium instance via Selenium WebDriver, injects WPPConnect JavaScript to bypass bot detection, harvests the victim’s contacts, and silently sends phishing messages, including the TCLBANKER installer, to all Brazilian contacts without the victim’s knowledge.
The Outlook bot connects to the victim’s installed Microsoft Outlook via COM interop, harvests email contacts from the Contacts folder and the inbox message history. Then it sends phishing emails from the victim’s own email account.
Emails are sent with the subject line “NFe disponível para impressão” (Electronic Invoice Available for Printing), linking to a phishing domain impersonating a Brazilian ERP platform. Because these emails originate from trusted, legitimate accounts, they are highly likely to bypass traditional email security filters.
All C2 and payload delivery infrastructure is hosted under a single Cloudflare Workers account (ef971a42.workers[.]dev), allowing the operators to rotate infrastructure rapidly.
Developer artifacts, including debug logging paths (C:temptcl-debug.txt), test process names, and an incomplete phishing site still showing a maintenance page, suggest that REF3076 is in early operational stages and that the campaign scope is likely to expand.
Researchers link TCLBANKER to the previously tracked MAVERICK/SORVEPOTEL malware family based on shared infrastructure and code patterns.
IoC
| Observable | Type | Name | Reference |
|---|---|---|---|
| 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626 | SHA-256 | screen_retriever_plugin.dll | TCLBanker loader component |
| 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059 | SHA-256 | screen_retriever_plugin.dll | TCLBanker loader component |
| 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40 | SHA-256 | screen_retriever_plugin.dll | TCLBanker loader component |
| 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394 | SHA-256 | XXL_21042026-181516.zip | TCLBanker initial ZIP file |
| campanha1-api.ef971a42[.]workers.dev | domain-name | TCLBanker C2 | |
| mxtestacionamentos[.]com | domain-name | TCLBanker C2 | |
| documents.ef971a42.workers[.]dev | domain-name | TCLBanker file server | |
| arquivos-omie[.]com | domain-name | TCLBanker phishing page (under development) | |
| documentos-online[.]com | domain-name | TCLBanker phishing page (under development) | |
| afonsoferragista[.]com | domain-name | TCLBanker phishing page (under development) | |
| doccompartilhe[.]com | domain-name | TCLBanker phishing page (under development) | |
| recebamais[.]com | domain-name | TCLBanker phishing page (under development) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
