TCLBANKER Trojan Hits 59 Financial Platforms via WhatsApp, Outlook Worms

Security researchers at the Threat Intelligence Lab have uncovered a previously undocumented Brazilian banking trojan, named TCLBANKER, which is now actively targeting 59 banking, fintech, and cryptocurrency services across Latin America and beyond. The malware first came to light after a coordinated campaign delivered a malicious RTF document disguised as a banking update, and subsequent analysis revealed a fully fledged remote‑access trojan (RAT) capable of credential harvesting and automated fraud. The scale of the campaign places it among the most aggressive financial‑targeting operations observed this year, with victims reported in Brazil, Mexico, and several European markets.

TCLBANKER spreads through two primary infection vectors. On the messaging front, the operators craft convincing WhatsApp messages that pose as alerts from popular banks or crypto exchanges, embedding a short‑link that leads to a weaponized APK or a downloader hosted on a compromised site. In parallel, an Outlook worm leverages the Outlook Object Model to hijack the local Outlook client, automatically sending the same malicious document to every contact in the victim’s address book. This dual‑pronged approach dramatically amplifies the reach of the campaign, allowing the trojan to propagate both within corporate networks and across personal devices in a short time window.

Technically, the trojan is a modular RAT written in .NET with a custom crypter that decodes its payload at runtime. Once installed, it injects a key‑logger and a web‑inject module into legitimate browser processes, capturing login credentials for the targeted financial portals in real time. The malware also enumerates installed security products, disables Windows Defender via registry manipulation, and employs anti‑virtual‑machine checks to evade sandbox analysis. Communication with the command‑and‑control (C2) server is conducted over HTTPS using a self‑signed certificate and a rotating domain algorithm, making network‑level detection challenging. The dropper’s SHA‑256 hash is 3f8a2b1c9d0e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a, and the observed C2 domains include tclbanker‑c2[. ]xyz and finance‑svc[. ]net.

Organizations are advised to enforce strict email filtering policies, block executable attachments from unknown sources, and disable macro execution in Office documents wherever possible. Deploying advanced endpoint detection and response (EDR) solutions that monitor for the specific process‑injection techniques and registry modifications used by TCLBANKER will help contain an outbreak. Indicators of compromise (IOCs) such as the aforementioned file hashes and C2 domains should be imported into security‑information‑and‑event‑management (SIEM) platforms to generate timely alerts. The discovery underscores the increasing convergence of messaging‑platform abuse and email‑based worms in financial cybercrime, urging defenders to adopt a layered security posture that covers both endpoint and network telemetry.