TCLBANKER Banking Trojan Spreads via WhatsApp and Outlook Worm Modules

TCLBANKER, a newly identified Brazilian banking trojan tracked by Elastic Security Labs under campaign name REF3076, targets 59 banking, fintech, and cryptocurrency platforms by abusing a signed Logitech application through DLL sideloading — a technique that tricks a legitimate, trusted program into loading a malicious library in place of a real one. When a victim visits a monitored financial site, the malware activates a WebSocket command-and-control (C2) session and deploys full-screen overlay windows designed to steal credentials through live operator-driven social engineering. What distinguishes TCLBANKER from most banking trojans is its self-propagation capability: it hijacks the victim's own WhatsApp and Outlook accounts to spread to their contacts, inheriting the trust of legitimate communications and bypassing email gateway defenses entirely.

TCLBANKER Banking Trojan: Technical Details

The infection chain begins with an MSI installer that impersonates a legitimate Logitech Logi AI Prompt Builder package. Inside, threat actors abuse DLL sideloading against LogiAiPromptBuilder.exe — a real, digitally signed Logitech executable built on the Flutter framework. When the application starts, it automatically loads screen_retriever_plugin.dll, which it expects to be a genuine Flutter plugin (a software component that extends Flutter's capabilities). In REF3076's version, that DLL is replaced with the TCLBANKER loader, executing malicious code under the cover of the trusted Logitech process.

TCLBANKER is a significant evolution of MAVERICK and SORVEPOTEL, older Brazilian banking trojan families with a documented history of targeting South American financial institutions. Elastic analysts identified an IP address that simultaneously hosted a REF3076 C2 domain, a REF3076 phishing site, and a domain previously associated with the Water Saci campaign and SORVEPOTEL/MAVERICK malware — a strong indicator of shared infrastructure and operator overlap between the campaigns.

The malware activates its core functionality when the victim navigates to any of the 59 monitored Brazilian banking, fintech, or cryptocurrency domains. At that point, it opens a WebSocket C2 session and deploys a WPF-based (Windows Presentation Foundation — Microsoft's desktop UI framework) full-screen overlay. The overlay covers the legitimate banking site completely and presents real-time operator-driven prompts designed to capture one-time passwords, MFA (Multi-Factor Authentication) tokens, and account credentials as the victim types them.

Exploitation Status and Threat Landscape

TCLBANKER does not exploit a CVE-identified software vulnerability. Instead, it exploits human trust: victims believe they are installing legitimate Logitech software. The use of a signed binary from a major hardware vendor makes detection by traditional endpoint security tools significantly harder, because the executable carries a valid code-signing certificate that passes hash-based integrity checks.

The campaign's two worm modules represent a notable advancement over typical banking trojans:

• WhatsApp worm: Hijacks the victim's authenticated WhatsApp Web browser session to silently send phishing messages to the victim's contacts. Because messages arrive from the victim's own account, recipients are far more likely to click embedded links or run the same malicious installer — bypassing email gateway reputation checks entirely. This is MITRE ATT&CK technique T1534 (Internal Spearphishing — using an already-compromised internal account to target others in the same network of trust).
• Outlook email bot: Uses Windows COM automation (Component Object Model — a Windows inter-process communication technology that allows programs to control other applications) to send phishing emails through the victim's own Outlook account, requiring no attacker credentials.

C2 infrastructure runs on Cloudflare Workers (worker[.]dev subdomains), allowing operators to rotate infrastructure rapidly while inheriting Cloudflare's trusted reputation. Many enterprises explicitly allow outbound traffic to Cloudflare endpoints, making domain blocklisting ineffective without deeper TLS inspection.

TCLBANKER includes substantial anti-analysis protections:

• Environment-dependent payload decryption routines that deliberately fail in sandbox or automated analysis environments
• A persistent watchdog thread scanning for analysis tools including x64dbg, IDA Pro, dnSpy, Frida, Process Hacker, Ghidra, and de4dot — killing or alerting the malware if any are detected

Elastic researchers note that developer artifacts throughout the chain — debug logging paths, test process names, and a phishing site still under construction — suggest REF3076 is in early operational stages and actively being expanded, not wound down.

Who Is Affected

Current targeting is focused on Brazil, with 59 banking, fintech, and cryptocurrency domains explicitly named in the malware's watchlist. The victim pool is anyone who installs the trojanized Logitech installer, most likely delivered through phishing lures or malicious download pages impersonating the legitimate Logi AI Prompt Builder.

The self-propagation via WhatsApp and Outlook extends secondary infection globally: the worm modules send messages to every contact in the victim's address book regardless of geography. This gives TCLBANKER an asymmetric reach beyond its initial target base with no additional infrastructure cost to the attacker.

What You Should Do Right Now

• *Block unexpected outbound WebSocket connections to .workers.dev** at the network edge if your organization has no legitimate Cloudflare Workers usage. Monitor for unusual Cloudflare Worker traffic from endpoint processes.
• Enable DLL sideloading detection in your EDR (Endpoint Detection and Response) solution. Flag screen_retriever_plugin.dll loading from non-standard paths alongside LogiAiPromptBuilder.exe.
• Audit systems for the trojanized installer: Look for LogiAiPromptBuilder.exe processes spawned without any user-initiated Logitech software session, or unexpected screen_retriever_plugin.dll in process memory.
• Alert on COM-based Outlook automation from unexpected processes: Flag Outlook COM automation sessions initiated by processes other than known productivity tools in your environment.
• Alert on WhatsApp Web session activity from non-browser processes: If endpoint monitoring covers browser extension or DOM access, look for process injection into browser sessions active on web.whatsapp.com.
• Educate users on installer verification: Logitech software should only be downloaded from logitech.com or the official Logi Options+ portal. Installers arriving via email, WhatsApp, or third-party download links should be treated as suspect regardless of digital signatures.
• Consult Elastic's full IOC list in the TCLBANKER research post, which includes file hashes, C2 domains, and YARA detection rules.

Background: Understanding the Risk

Brazilian banking trojans have a long operational history. Families like GRANDOREIRO, JAVALI, BANBRA, and GUILDMA have been active for years, and TCLBANKER follows this established pattern: sophisticated overlay fraud, geographic targeting of specific banking portals, and evasion through abuse of legitimate software. What sets TCLBANKER apart is the decision to weaponize the victim's own communication channels.

Traditional banking malware waits for the victim to visit a target site. TCLBANKER additionally turns the victim into an unwitting distribution vector. Each newly infected machine can send phishing messages to potentially hundreds of WhatsApp and Outlook contacts, compounding the campaign's reach without any additional infrastructure investment by the attacker — a network effect that dramatically accelerates spread during early operational stages.

DLL sideloading using legitimate signed binaries maps to MITRE ATT&CK T1574.002 (Hijack Execution Flow: DLL Side-Loading). The Logitech binary choice is deliberate: many endpoint security products exclude or deprioritize processes from well-known hardware vendors, and valid digital signatures pass integrity checks that would block unsigned executables.

The Cloudflare Workers infrastructure choice is equally strategic. Domain-based blocking is impractical without disrupting legitimate Cloudflare traffic, and operators can update Worker code without changing C2 domain names, making indicator-based blocking less durable over time.

Elastic's identification of overlapping infrastructure between REF3076 and the Water Saci/SORVEPOTEL/MAVERICK lineage suggests a single actor or tightly affiliated group — one that has been steadily improving its tooling. TCLBANKER represents the most capable iteration of this malware family to date, and the campaign is still being built out.

Conclusion

TCLBANKER is a technically mature banking trojan in its early deployment phase — a dangerous combination. Organizations with users in Brazil or with communication links to Brazilian financial institution employees face immediate risk; the WhatsApp and Outlook worm modules extend that risk globally. Security teams should prioritize DLL sideloading detections, Cloudflare Worker C2 monitoring, and user awareness around installer verification as the most immediately actionable defenses.