TCLBanker Trojan Spreads via WhatsApp and Outlook, Hits 59 Financial Platforms

Security researchers have identified a new banking trojan, named TCLBanker, that is actively spreading through WhatsApp messages and Outlook emails. The campaign lures victims with fake software updates, embedding a malicious link in WhatsApp chats and a weaponized MSI installer in Outlook attachments, prompting users to execute the payload under the guise of a Logitech AI Prompt Builder upgrade.

The infection chain begins when the trojanized MSI installer, signed with a legitimate Logitech certificate, drops a malicious DLL that leverages DLL sideloading to load the TCLBanker payload. Written in .NET, the trojan establishes an encrypted HTTPS channel to a command‑and‑control (C2) domain, performs system fingerprinting, and then deploys a suite of theft modules including keystroke logging, credential harvesting via web‑inject scripts, and screen capture utilities. The malware also creates a scheduled task for persistence and monitors the victim’s clipboard for cryptocurrency wallet addresses.

TCLBanker is designed to target 59 financial, fintech, and cryptocurrency platforms, among them Bank of America, JPMorgan Chase, Wells Fargo, PayPal, Stripe, Square, Revolut, Binance, Coinbase, Kraken, and various regional online banking portals. By injecting malicious JavaScript into the victim’s browser, it intercepts login credentials and two‑factor authentication tokens in real time, exfiltrating the data to the attacker’s server before the legitimate session completes.

Organizations are advised to block execution of MSI installers from untrusted sources, enforce application whitelisting, and monitor outbound HTTPS traffic for known C2 indicators such as the observed domain pattern. Users should avoid clicking on unsolicited links in WhatsApp or opening unexpected attachments in Outlook, and ensure that endpoint protection solutions are updated to detect the DLL sideloading technique used by TCLBanker.