[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDNocmtKzsvb98YdjjwyhpYu-6eVb8JXp61nkRi0JToQ":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"4589d959-2469-4079-b2ca-8df1307b54c4","New TCLBanker malware self-spreads over WhatsApp and Outlook","new-tclbanker-malware-self-spreads-over-whatsapp-and-outlook-6dd857","A new trojan named TCLBanker, which targets 59 banking, fintech, and cryptocurrency platforms, uses a trojanized MSI installer for Logitech AI Prompt Builder to infect systems. [...]","TCLBanker, a new banking trojan targeting 59 financial platforms in Brazil, spreads through a compromised Logitech AI Prompt Builder MSI installer and includes worm modules that automatically propagate via WhatsApp and Outlook. The malware uses DLL side-loading, advanced anti-analysis techniques, and overlay-based credential theft, while researchers believe it evolved from the older Maverick\u002FSorvepotel malware family. The threat poses significant risk for geographic expansion, as similar LATAM malware has historically broadened its targeting scope.","TCLBanker banking trojan self-spreads via WhatsApp and Outlook using trojanized Logitech installer.","New TCLBanker malware self-spreads over WhatsApp and Outlook By Bill Toulas May 7, 2026 06:06 PM 1 A new trojan named TCLBanker, which targets 59 banking, fintech, and cryptocurrency platforms, uses a trojanized MSI installer for Logitech AI Prompt Builder to infect systems. Additionally, the malware includes self-spreading worm modules for WhatsApp and Outlook that automatically infect new victims. The new banking trojan was discovered by Elastic Security Labs, whose researchers believe it’s a major evolution of the older Maverick\u002FSorvepotel malware family. While TCLBanker currently appears focused in Brazil, specifically checking timezone, keyboard layout, and locale, LATAM malware has, in the past, been updated to broaden its targeting scope, so the risk of the threat expanding is real. TCLBanker capabilities Elastic warns that TCLBanker is extremely well protected against analysis and debugging, featuring environment-dependent payload decryption routines that fail in sandboxes or analyst environments. It also runs a persistent watchdog thread that continuously hunts for analysis tools like x64dbg, IDA, dnSpy, Frida, ProcessHacker, Ghidra, de4dot, and others. Monitoring for targeted processesSource: Elastic The malware is loaded within the context of the legitimate Logitech application via DLL side-loading, so it won’t trigger any alarms from security products protecting the infected host. The researchers noted that, while the loader is rich in features, none go very far toward being truly advanced, and code artifacts indicate that AI may have been used in its development. The banking module monitors the browser address bar every second using Windows UI Automation APIs, watching for when the victim opens a website of one of its 59 targeted platforms. When that happens, it establishes a WebSocket session with the command-and-control (C2), sends victim and system information, and starts remote control operations. The capabilities given to the operators include: Live screen streaming Screenshot capturing Keylogging Clipboard hijacking Shell command execution Window management File system access Process enumeration Remote mouse\u002Fkeyboard control During active sessions, the Task Manager process is killed to prevent disruptions and hide the malicious activity from the victim. To support data theft, TCLBanker uses a WPF-based overlay system that can push to victims fake credential prompts, PIN keypads, phone-number collection forms, fake “bank support” waiting screens, fake Windows Update screens, and various fake progress screens. There are also “cutout” overlays that stay on top, allowing only selected portions of real applications to be shown to the victim, and masking other parts. Generating a fake Windows update overlaySource: Elastic WhatsApp and Outlook worms An interesting aspect of TCLBanker is its ability to propagate autonomously to contacts linked to the primary victim. The malware searches Chromium browser profiles for authenticated WhatsApp Web IndexedDB data, and launches a hidden Chromium instance that hijacks the victim’s account. Hijacking WhatsApp accountsSource: Elastic Then, it harvests contacts, filters for Brazilian numbers, and sends them spam messages from the victim’s account, leading them to TCLBanker distribution platforms. Another worm module abuses Microsoft Outlook through COM automation, launching the app, harvesting contacts and sender addresses, and sending phishing emails through the victim’s email account. Harvesting Outlook contactsSource: Elastic Elastic concludes that TCLBanker is as a characteristic example of the evolution of LATAM malware, offering lower-tier cybercriminals features that were once only available in highly sophisticated tools. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: New GoGra malware for Linux uses Microsoft Graph API for commsNew PCPJack worm steals credentials, cleans TeamPCP infectionsAustralia warns of ClickFix attacks pushing Vidar Stealer malwareFake Claude AI website delivers new 'Beagle' Windows malwareDAEMON Tools devs confirm breach, release malware-free version","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-tclbanker-malware-self-spreads-over-whatsapp-and-outlook\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2024\u002F06\u002F15\u002Femoji-hacker.jpg","2026-05-07T22:06:52+00:00","2026-05-08T00:00:09.632636+00:00",9,[18,21,24,26,28],{"name":19,"type":20},"Logitech","vendor",{"name":22,"type":23},"Logitech AI Prompt Builder","product",{"name":25,"type":20},"Elastic",{"name":27,"type":23},"Elastic Security Labs",{"name":29,"type":30},"DLL side-loading","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":31,"icon":33,"name":34,"slug":35},null,"Malware","malware",[37,42,44],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":43},{"id":31,"icon":33,"name":34,"slug":35},{"category":45},{"id":46,"icon":33,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50,53,56],{"type":35,"value":51,"context":52},"TCLBanker","Banking trojan targeting 59 financial platforms, spreads via WhatsApp\u002FOutlook",{"type":35,"value":54,"context":55},"Maverick","Older malware family; TCLBanker believed to be its evolution",{"type":35,"value":57,"context":55},"Sorvepotel"]