“Chatty Thief”: How TCLBanker Malware Turns WhatsApp and Outlook Into Cybercrime Conduits

It starts with a click: a seemingly harmless Logitech AI Prompt Builder installer, a nudge from a trusted WhatsApp contact, or a routine email from a familiar Outlook sender. But beneath these innocent facades, a new digital predator lurks. Dubbed “TCLBanker,” this malware is rewriting the rules of cybercrime by weaponizing the very communication tools millions rely on daily. Its emergence marks a chilling chapter in the ongoing evolution of Latin American cyber threats—one where the line between social connection and social engineering blurs like never before.

The Anatomy of a Banking Trojan Reborn

Discovered by Elastic Security Labs, TCLBanker is no ordinary banking trojan. It’s an evolutionary leap from its Maverick/Sorvepotel lineage, packed with the kind of features once reserved for the cybercrime elite. TCLBanker’s infection vector is cunning: victims are lured into running a trojanized installer for a legitimate Logitech AI application. Once inside, the malware loads quietly alongside the real software, evading detection thanks to sophisticated DLL side-loading and anti-debugging defenses.

But TCLBanker’s most insidious innovation is its worm-like self-propagation. By harvesting WhatsApp Web credentials from browser data, it silently launches a hidden browser session, hijacks the victim’s account, and blasts malware-laden messages to Brazilian contacts—turning friends and colleagues into unwitting accomplices. Simultaneously, it leverages Microsoft Outlook’s automation to scrape contact lists and dispatch phishing emails, further widening its net.

Once embedded, TCLBanker surveils the victim’s every move, monitoring browser activity for banking and crypto sites among its 59 targets. When a victim lands on a flagged site, the malware springs into action: opening a covert channel to its command server, streaming the screen, logging keystrokes, and even deploying fake overlays to harvest credentials or disguise its activities. All the while, it disables security utilities like Task Manager to keep its presence hidden.

This layered approach—combining technical stealth, aggressive self-spreading, and social engineering—signals a dangerous democratization of cybercrime tools. TCLBanker brings sophisticated capabilities to less-skilled criminals, amplifying the threat for individuals and institutions alike.

A Warning Beyond Brazil

Currently, TCLBanker is tuned for Brazilian victims, checking locale and keyboard settings before deploying its full arsenal. But history shows that Latin American malware often starts local before going global. As cybercriminals continue to adopt and adapt these tactics, the risk of a transnational outbreak grows.

For now, the best defense is vigilance—questioning unexpected downloads, scrutinizing messages from trusted contacts, and keeping security tools up to date. In a world where every chat and email can be a vector, awareness is the first line of defense against the next wave of digital deception.

WIKICROOK

• Trojan: A Trojan is malicious software disguised as a legitimate app, designed to trick users into installing it so it can steal data or harm devices.
• DLL Side: DLL Side is a technique where attackers trick programs into loading malicious DLL files, bypassing security and gaining unauthorized access or control.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Keylogging: Keylogging is a spying method where every keystroke you type is secretly recorded and sent to cybercriminals, risking your sensitive information.
• Overlay Attack: An overlay attack uses fake screens placed over real apps to trick users into entering sensitive data like passwords or PINs, enabling credential theft.