TCLBanker is a new, sophisticated banking Trojan emerging from Brazil that combines aggressive credential theft with self-spreading capabilities. It infects victims via a trojanized installer disguised as legitimate Logitech software, sideloads a malicious DLL, and then waits for users to visit one of 59 targeted Brazilian banking, fintech or cryptocurrency websites.

Once active, the malware uses a range of powerful features: it monitors the browser’s address bar via Windows UI Automation, and when a targeted site is detected, it opens a WebSocket to the attacker’s server. At that point, full remote-access capabilities kick in, including live screen streaming, screenshot capture, keylogging, file system manipulation, and even remote mouse/keyboard control. In short, once TCLBanker is inside a Brazilian user’s PC, it can spy on activity and steal credentials in real time.

Multi-Stage Infection & Persistence

TCLBanker infection process starts with an infected MSI installer within a ZIP file that acts like a “Logi AI Prompt Builder” program from Logitech and drops a DLL file called screen_retriever_plugin.dll. As the DLL is being loaded by a valid Logitech executable, TCLBanker does not trigger alarms at this stage of execution.

Before any action is done, TCLBanker filters potential victims using different techniques. These include detecting virtual machines, debuggers, limited memory space, sandbox usernames, and Brazilian Portuguese localization.

In order to ensure long-term presence on infected machines, TCLBanker copies itself in %LocalAppData%\LogiAI and generates a scheduled task called RuntimeOptimizeService. Moreover, it obtains other payloads and sends command-and-control requests using Cloudflare Workers proxies.

TCLBanker Analysis: Brazilian Banking Trojan

MALWARE THREAT REPORT

TCLBANKER:
BRAZILIAN BANKING TROJAN

Analysis of a sophisticated financial attack chain disguised as legitimate Logitech software, utilizing DLL sideloading and advanced overlay techniques.

START ANALYSIS

logitech-support.io/downloads/logi-ai-prompt-builder

Logi AI Prompt Builder v1.2.4 (Latest)

Optimize Your Workflow

Download the official installer for Logitech’s new AI suite.

Logi_AI_Installer.zip (24.5 MB)

STEP 1: INITIAL INFECTION

The attack begins with a malicious MSI installer within a ZIP file, disguised as “Logi AI Prompt Builder.” This installer drops screen_retriever_plugin.dll, which is subsequently loaded by a legitimate Logitech executable.

Process Monitor — [System Analysis]

[SCAN] Environment check initialized…

> Detected: pt-BR locale [MATCH]

> Debugger/VM detected? [NO]

> Sandbox usernames? [CLEAN]

[ACTION] Loading DLL: screen_retriever_plugin.dll

> Unhooking ntdll.dll API calls… [DONE]

> Disabling Windows Event Tracing (ETW)… [DONE]

[PERSISTENCE] Creating Scheduled Task: RuntimeOptimizeService

STEP 2: STEALTH & PERSISTENCE

TCLBanker hides under legitimate software using DLL Sideloading. It verifies the environment for VM, debuggers, and Brazilian Portuguese localization before copying itself to %LocalAppData%\LogiAI and establishing a scheduled task.

Windows UI Automation — Bridge

Brave Browser – Address Bar Stream:

https://www.itau.com.br/banking/…

TARGET MATCH DETECTED (Itaú Unibanco)

Payload decryption: ENV_AWARE_HASH_0xAF31

C2 Connection: Cloudflare Worker Proxy

STEP 3: REAL-TIME MONITORING

The malware uses Windows UI Automation to continuously scan the address bars of browsers like Chrome, Edge, and Firefox. When one of the 59 targeted Brazilian banks is visited, a WebSocket connection to the C2 server is immediately opened.

Trabalhando em atualizações

14% concluído. Não desligue o computador.

Para sua segurança, confirme o número do telefone associado à sua conta bancária:

STEP 4: DECEPTIVE OVERLAY FRAMEWORK

Using WPF (Windows Presentation Foundation), TCLBanker generates fake full-screen interfaces. While the user believes a “Windows Update” is occurring, the malware harvests banking credentials and OTP codes in the background. These overlays are designed to block screenshots.

Attacker Command & Control Interface (Live)

● LIVE STREAM

REMOTE MOUSE: ACTIVE

KEYLOGGING LOG:

[BRAVE] User clicked: Password Field
[BRAVE] Typed: ********* (CAPTURED)
[CLIPBOARD] Copied: 2FA-TOKEN-88312

EXFILTRATION

TaskMgr.exe -> TERMINATED

Chrome Cookies -> STOLEN

Exodus Wallet -> EXTRACTED

File System -> ACCESSIBLE

STEP 5: FULL REMOTE CONTROL

Behind the overlay, TCLBanker functions as a complete RAT (Remote Access Trojan). It features live screen streaming, keylogging, file manipulation, and remote mouse/keyboard control. It automatically terminates Task Manager to avoid process detection.

STRATEGIC DEFENSE

Break the Kill Chain

Technical controls are bypassed by social engineering. Culture is your last line of defense.

Phishing Simulation

Test employee resilience against advanced identity-based threats.

Cyber Awareness

Train users to recognize the psychological triggers used by attackers.

Advanced Stealth and Anti-Analysis

TCLBanker Trojan contains strong anti-analysis capabilities aimed at hindering debugging and forensics operations. It constantly monitors sandboxing, virtualization environments, and various reverse engineering applications based on file system markers and Windows debugging flags.

Moreover, the malware’s loader is configured to recognize several reverse-engineering applications like Frida, x64dbg, dnSpy, OllyDbg, IDA Pro, and Ghidra. When it comes across any of these applications, TCLBanker automatically ceases to operate or damages part of its payload. In addition, the malware disables Windows event tracing functions and unhooks all API calls made by ntdll.dll.

Furthermore, the trojan employs an environment-aware hashing algorithm that helps protect its payload. Specifically, it generates a unique hash depending on certain environmental conditions within a computer system and then decrypts subsequent payload sections using the hash value. Any change to the environment results in failure to decrypt the payload.

Full-Feature Banking Trojan Payload

After successful completion of its security mechanisms, TCLBanker becomes active within the banking module. The malware continuously scans browser URLs in Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, Opera, and other popular browsers. Comparisons are made between visited websites and those 59 targeted banking and cryptocurrency websites.

Upon discovery of a match, the malware informs its controllers while activating all its remote administration features. Malware creators gain abilities to execute shell commands, take screenshots, stream victims’ desktop, record victims’ clipboard, and use the malware’s keylogger feature. The malware also closes down the Task Manager process to avoid detection of malicious processes.

Other capabilities of the malware are:

Remote mouse and keyboard control
Processes and file manipulation
Enumeration of opened windows
Real-time monitoring of banking activities

Such functionality allows for remote observation of victims’ activities and theft of sensitive data.

Deceptive Overlay Framework

TCLBanker implements an advanced overlay technique using Windows Presentation Foundation (WPF) technology to steal credentials. The malicious application produces realistic full-screen overlays that impersonate legitimate bank sites, PIN prompts, and even Windows update dialogs.

A prominent example involves a fraudulent Portuguese version of the Windows Update prompt with the caption “Trabalhando em atualizações” (“Working on updates“). Whereas the user sees the fake progress bar, the malicious software performs its credentials harvesting operation behind-the-scenes. Another overlay asks for a telephone number or displays the message about support services of a fake bank.

Features implemented by the overlays include:

Fake logon screen and OTP input prompt;
Fraudulent version of Windows update prompt;
Fake message of account verification required.

Moreover, TCLBanker makes it impossible to capture overlays via screenshots.

WhatsApp And Outlook Worm Modules Accelerate TCLBanker Spread

Additionally, TCLBanker has worm functionality, which enables compromised devices to become a means of distributing malicious payloads. In addition to stealing banking credentials, TCLBanker uses communication platforms to infect victims.

WhatsApp component takes advantage of existing WhatsApp Web connections found in Chrome browser profiles and starts a hidden Chromium process, injects WPPConnect scripts, retrieves contacts and sends malicious ZIP files and phishing links using the compromised WhatsApp account.

TCLBanker can also make use of Microsoft Outlook to distribute its payloads by exploiting COM automation functionality and sending spam emails that come from real users.

Some of the key technical aspects are as follows:

Hidden WhatsApp web automation powered by Chromium
COM Abuse of Microsoft Outlook for phishing delivery
Contact harvesting
Remote malware delivery
Worm-like distribution

These technical abilities enable the malware to infect numerous victims using trusted platforms such as WhatsApp and Outlook.

TCLBanker Indicators of Compromise (IOCs)

SHA256 Hashes

701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626
63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394
668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40
8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059

Malicious Files And Components

LogiAiPromptBuilder.exe
screen_retriever_plugin.dll
Trojanized Logitech AI Prompt Builder installer

Malware Modules

TCLBANKER
Tcl.WppBot
Tcl.Agent
MAVERICK / SORVEPOTEL

Command And Control (C2)

campanha1-api.ef971a42.workers[.]dev
documents.ef971a42.workers.dev
/api/campaign

Malicious Domains

arquivos-omie[.]com
documentos-online[.]com
recebamais[.]com
mxtestacionamentos[.]com
doccompartilhe[.]com

Embedded Token

Embedded Authentication Token

0d21613a-2609-45fc-83ff-d0feaa0c891f

Observed Behaviors

WhatsApp Web session hijacking
Outlook COM automation abuse
WPPConnect-based message automation
Headless Chromium execution
Remote payload downloads
Banking overlay deployment
Keylogging and clipboard monitoring

Conclusion: When a Banking Trojan Becomes a Worm

TCLBanker shows how financial malware is evolving beyond credential theft. This is not just a banking trojan waiting for a victim to log in. It spreads through WhatsApp and Outlook, hijacks trust between contacts, and turns normal communication channels into malware distribution paths.

Once one user is compromised, the attack no longer depends on one inbox.
It can move through relationships.

Why This Threat Matters

TCLBanker is dangerous because it combines theft, automation, and social trust in one chain.

Banking credentials and financial sessions become the primary target
WhatsApp messages turn trusted contacts into delivery channels
Outlook abuse pushes the campaign deeper into business communication
Worm-like behavior expands reach without constant attacker involvement
Victims are more likely to click because the message appears to come from someone they know

This is where malware becomes scalable, because trust does the distribution.

Where Xcitium Changes the Outcome

If you have Xcitium in place, this attack would NOT succeed the way the attacker needs.

With Xcitium Advanced EDR, TCLBanker fails at execution.

Unknown payloads are isolated the moment they run
Code can run without being able to cause damage
Credential theft, persistence, and worm behavior lose the runtime path they depend on
WhatsApp and Outlook abuse cannot turn one infected user into a wider outbreak

With Xcitium Cyber Awareness Education and Phishing Simulation, users are also trained to challenge unexpected links, suspicious attachments, and unusual messages, even when they appear to come from trusted contacts.

Stop Malware Before Trust Becomes the Delivery Network

TCLBanker proves that modern banking trojans are no longer isolated infections. They are social distribution engines. Protect users before they click, and stop unknown code before it can steal, spread, or persist.

Like what you see? Share with a friend.

TCLBanker Malware: Brazilian Banking Trojan with WhatsApp and Outlook Worms