TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook
TCLBANKER is a sophisticated Brazilian banking trojan evolving from the MAVERICK/SORVEPOTEL malware family. It uses a trojanized Logitech installer to deploy protected modules via DLL side-loading. The malware targets 59 Brazilian financial institutions by leveraging UI Automation and employs a full-screen overlay framework for social engineering attacks to harvest credentials. It includes a worm module that propagates through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from infected users' accounts. TCLBANKER has advanced anti-analysis features such as environment-gated payload decryption, watchdog systems, and ETW patching. Its infrastructure is hosted on Cloudflare Workers, and the campaign appears to be in early stages of operation.
AI Analysis
Technical Summary
TCLBANKER is a banking trojan targeting Brazilian financial institutions, representing an evolution of the MAVERICK/SORVEPOTEL malware family. It spreads via a trojanized Logitech installer that side-loads .NET Reactor-protected modules. The trojan monitors 59 Brazilian banks using UI Automation and uses a WPF-based overlay for operator-driven social engineering to steal credentials and display fake system screens. A secondary worm module enables self-propagation by hijacking WhatsApp sessions and automating Outlook to send phishing messages from victims' accounts. The malware employs robust anti-analysis techniques including environment-gated payload decryption, watchdog mechanisms, and ETW patching. Its command and control infrastructure is hosted on Cloudflare Workers. The campaign was detected early in its operational phase, indicating potential for further development.
Potential Impact
The malware enables credential theft from users of 59 Brazilian financial institutions, potentially leading to financial fraud and account compromise. Its worm-like propagation through WhatsApp and Outlook allows rapid spread by abusing victims' own communication channels, increasing infection rates and phishing reach. The use of full-screen overlays and social engineering techniques can deceive users into divulging sensitive information. Anti-analysis features complicate detection and analysis, potentially prolonging infection and impact. However, there is no indication of known exploits in the wild beyond the campaign described, and the campaign is in early stages.
Mitigation Recommendations
No official patch or remediation is currently available for TCLBANKER as it is malware rather than a software vulnerability. Mitigation should focus on user awareness to avoid trojanized installers and suspicious links, especially on WhatsApp and Outlook. Organizations should monitor for indicators of compromise such as the provided hashes and domains. Endpoint detection and response solutions should be updated to detect DLL side-loading and .NET Reactor-protected modules. Since the infrastructure is hosted on Cloudflare Workers, blocking related domains and network indicators may help limit communication. Check vendor advisories and threat intelligence feeds for updates on detection and mitigation strategies.
Indicators of Compromise
- hash: e0d1eedaa0c1f98f50726df729594edc
- hash: 91fafaa1240676afe5c55d931261e3798797c408
- hash: 94f21c140afd18b43d5a0f274216545442b3f6cd
- hash: 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394
- hash: 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40
- hash: 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626
- hash: 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059
- domain: afonsoferragista.com
- domain: arquivos-omie.com
- domain: doccompartilhe.com
- domain: documentos-online.com
- domain: mxtestacionamentos.com
- domain: recebamais.com
- domain: saogeraldoshiping.com
- domain: window.navigator.chrome
TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook
Description
TCLBANKER is a sophisticated Brazilian banking trojan evolving from the MAVERICK/SORVEPOTEL malware family. It uses a trojanized Logitech installer to deploy protected modules via DLL side-loading. The malware targets 59 Brazilian financial institutions by leveraging UI Automation and employs a full-screen overlay framework for social engineering attacks to harvest credentials. It includes a worm module that propagates through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from infected users' accounts. TCLBANKER has advanced anti-analysis features such as environment-gated payload decryption, watchdog systems, and ETW patching. Its infrastructure is hosted on Cloudflare Workers, and the campaign appears to be in early stages of operation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
TCLBANKER is a banking trojan targeting Brazilian financial institutions, representing an evolution of the MAVERICK/SORVEPOTEL malware family. It spreads via a trojanized Logitech installer that side-loads .NET Reactor-protected modules. The trojan monitors 59 Brazilian banks using UI Automation and uses a WPF-based overlay for operator-driven social engineering to steal credentials and display fake system screens. A secondary worm module enables self-propagation by hijacking WhatsApp sessions and automating Outlook to send phishing messages from victims' accounts. The malware employs robust anti-analysis techniques including environment-gated payload decryption, watchdog mechanisms, and ETW patching. Its command and control infrastructure is hosted on Cloudflare Workers. The campaign was detected early in its operational phase, indicating potential for further development.
Potential Impact
The malware enables credential theft from users of 59 Brazilian financial institutions, potentially leading to financial fraud and account compromise. Its worm-like propagation through WhatsApp and Outlook allows rapid spread by abusing victims' own communication channels, increasing infection rates and phishing reach. The use of full-screen overlays and social engineering techniques can deceive users into divulging sensitive information. Anti-analysis features complicate detection and analysis, potentially prolonging infection and impact. However, there is no indication of known exploits in the wild beyond the campaign described, and the campaign is in early stages.
Mitigation Recommendations
No official patch or remediation is currently available for TCLBANKER as it is malware rather than a software vulnerability. Mitigation should focus on user awareness to avoid trojanized installers and suspicious links, especially on WhatsApp and Outlook. Organizations should monitor for indicators of compromise such as the provided hashes and domains. Endpoint detection and response solutions should be updated to detect DLL side-loading and .NET Reactor-protected modules. Since the infrastructure is hosted on Cloudflare Workers, blocking related domains and network indicators may help limit communication. Check vendor advisories and threat intelligence feeds for updates on detection and mitigation strategies.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan"]
- Adversary
- REF3076
- Pulse Id
- 69fb97e531a95b262c4925aa
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashe0d1eedaa0c1f98f50726df729594edc | — | |
hash91fafaa1240676afe5c55d931261e3798797c408 | — | |
hash94f21c140afd18b43d5a0f274216545442b3f6cd | — | |
hash63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394 | — | |
hash668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40 | — | |
hash701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626 | — | |
hash8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainafonsoferragista.com | — | |
domainarquivos-omie.com | — | |
domaindoccompartilhe.com | — | |
domaindocumentos-online.com | — | |
domainmxtestacionamentos.com | — | |
domainrecebamais.com | — | |
domainsaogeraldoshiping.com | — | |
domainwindow.navigator.chrome | — |
Threat ID: 69fda40acbff5d8610b111e3
Added to database: 5/8/2026, 8:51:22 AM
Last enriched: 5/8/2026, 9:07:37 AM
Last updated: 5/8/2026, 12:02:39 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.