Threat hunters have recently identified a new banking trojan called TCLBANKER, and it could be affecting many people who use online banking or financial apps. This malware can target up to 59 different banking, fintech, and cryptocurrency platforms, making it essential for everyone to understand the risks associated with their online accounts.

## What is TCLBANKER?

TCLBANKER is a sophisticated piece of malware first tracked by Elastic Security Labs, which dubbed its activity “REF3076.” This trojan is an advanced version of another malware family known as Maverick, which spreads through WhatsApp Web. The threat cluster responsible for Maverick is called Water Saci by cybersecurity experts. Essentially, TCLBANKER is designed to steal sensitive information from your online banking activities, and its reach is vast, targeting numerous platforms.

The Trojan’s infection process starts with a malicious installer bundled in a ZIP file. This installer masquerades as a legitimate Logitech program called Logi AI Prompt Builder. Users may unknowingly download it, thinking it’s safe, only to inadvertently invite malware into their systems.

## How Does It Operate?

Once activated, TCLBANKER deploys a banking trojan along with a worm component capable of propagating via messaging platforms. It employs a loader that has sophisticated anti-analysis features to evade detection. This means it can identify when it’s being monitored by security tools and take steps to conceal its malicious activities.

The trojan generates three unique fingerprints to check its environment, including system information and language settings. For instance, it only executes if the default language is Brazilian Portuguese. This focus means it’s specifically tailored for users in Brazil, making it more effective in its operations.

## The Threat to Personal Data

After successfully infiltrating a device, TCLBANKER captures vital information, including passwords and financial data, through a range of malicious activities. It can run commands, take screenshots, and even control the mouse and keyboard, granting it significant power over the infected machine.

One of its cunning tactics involves using a full-screen overlay disguised as a legitimate login prompt. This technique tricks users into entering their credentials, which the malware then captures. By masking its true nature, TCLBANKER taps into the fear and urgency that often accompany online banking.

Furthermore, it can continuously monitor the browser’s address bar to see if a user visits a financial institution. If a match occurs, TCLBANKER can launch a series of tasks designed to steal information without the user’s knowledge.

## The Propagation Method

In addition to stealing information, TCLBANKER also spreads itself through both WhatsApp and Microsoft Outlook. The weaponized WhatsApp feature can hijack an infected device’s sessions to send spam messages to contacts. The Outlook component uses the legitimate email service to send phishing messages, making them appear trustworthy by coming from a known contact’s email.

Such strategies elevate TCLBANKER’s threat level, enabling it to bypass traditional security measures. Email and messaging platforms typically filter out suspicious communications, but TCLBANKER’s tactics raise a red flag for the future of cybersecurity.

## What this means for you

Understanding threats like TCLBANKER is crucial for maintaining your online safety. Here are some key takeaways:

– Always be cautious with unexpected email attachments or links, even if they come from trusted contacts, as they may be used to deliver malware.
– Regularly update your software and security tools to ensure you have the latest protections against new threats.
– If you ever need to review terms related to your online purchases or service agreements, legal-document-to-plain-english-translator/”>AI legalese decoder can help translate them into plain English quickly.

Being informed and cautious can significantly reduce your risk of falling victim to malware like TCLBANKER, keeping your financial and personal information safe.

Source: https://thehackernews.com/2026/05/tclbanker-banking-trojan-targets.html