253/69 Monday, May 11, 2026
Researchers from Elastic Security Labs have identified a new malware strain known as TCLBANKER (tracked as REF3076), a Brazilian banking trojan targeting more than 59 financial platforms, fintech services, and cryptocurrency-related systems. The malware is particularly concerning because it evolved from the Maverick malware family and now includes worm-like self-propagation capabilities through victims’ WhatsApp Web and Microsoft Outlook accounts. By sending malicious files directly to victims’ contacts using trusted accounts, the malware can bypass conventional spam filters and security protections more effectively.
The infection process typically begins by tricking victims into opening a ZIP archive containing an MSI installer file. The malware uses a technique known as DLL side-loading to abuse the legitimate Logitech Logi AI Prompt Builder application, leveraging its valid digital signature to evade security detection. TCLBANKER also incorporates advanced anti-analysis features by inspecting the victim’s environment for sandbox systems or malware analysis tools, terminating execution immediately if such tools are detected. Once installed, the malware monitors URLs visited through popular browsers such as Chrome and Firefox. If the victim accesses targeted financial websites, TCLBANKER displays fake overlay windows that closely resemble legitimate banking interfaces in order to steal passwords and sensitive information. The malware also establishes WebSocket connections, enabling attackers to remotely control infected systems and exfiltrate data in real time.
To reduce the risk of infection, users are strongly advised to exercise extreme caution when opening attachments or clicking links received through social media platforms or email, even if the messages appear to come from trusted contacts. Suspicious behavior such as unauthorized outgoing messages or abnormal login windows requesting excessive personal information should be treated as warning signs, and financial transactions should be stopped immediately until the system is verified. For enterprise administrators, it is recommended to strengthen monitoring for unknown DLL executions and review Task Scheduler activities that may indicate malware persistence mechanisms. Keeping operating systems, applications, and security software fully updated remains one of the most important baseline defenses against threats of this nature.
Source https://thehackernews.com/2026/05/tclbanker-banking-trojan-targets.html