TCLBanker: Self-Spreading Banking Trojan Targets 59 Financial Platforms via WhatsApp

A sophisticated new banking trojan dubbed TCLBanker has been discovered by Elastic Security Labs, and it represents a significant evolution in financial malware. The trojan doesn't just steal credentials — it actively spreads itself through hijacked WhatsApp accounts and compromised Outlook installations, making it one of the most self-sufficient banking malware campaigns seen in recent years.

How Does TCLBanker Infect Systems?

TCLBanker initially disguises itself as a legitimate installer for the Logitech AI Prompt Builder, a real Logitech product. This social engineering tactic leverages the trust users place in well-known hardware brands and the growing interest in AI tools. Once executed, the malware deploys a full suite of capabilities including keylogging, screen streaming, and fake overlay windows designed to capture banking credentials.

The trojan targets 59 different financial platforms spanning traditional banking, fintech applications, and cryptocurrency services. When a user accesses one of the targeted platforms, TCLBanker displays a fake login overlay that captures credentials in real-time, all while the legitimate application runs underneath — a technique known as "overlay attack."

What Makes TCLBanker Different from Other Banking Malware?

What sets TCLBanker apart is its autonomous spreading mechanism. Unlike most banking trojans that rely on victims downloading a malicious file, TCLBanker takes propagation into its own hands through two primary channels.

First, the malware hijacks WhatsApp Web sessions, sending spam messages containing malicious links to all of the victim's contacts. Because these messages come from a trusted contact, recipients are far more likely to click the link. This worm-like behavior has been primarily observed targeting Brazilian users, but the potential for geographic expansion is significant.

Second, TCLBanker abuses Microsoft Outlook via COM automation — the same technology that legitimate office automation uses — to send phishing emails from the victim's email account. This creates a dual-vector spreading mechanism that can rapidly expand the malware's reach across both personal and professional networks.

Elastic Security Labs also noted that TCLBanker includes sophisticated anti-analysis protections and may have been developed with the assistance of AI tools, raising concerns about the lowering barrier to entry for creating advanced malware.

Who Is at Risk?

While TCLBanker's current campaigns are primarily focused on Brazilian users and Latin American financial institutions, this is a common pattern in malware evolution. Banking trojans that prove successful in one region are frequently expanded to target global markets. Organizations with operations or customers in Latin America should be especially vigilant.

The malware's use of trusted brand impersonation (Logitech), AI-assisted development, and multi-channel spreading represents the cutting edge of financial malware — a trend that mirrors broader developments in AI-powered automation being weaponized by threat actors.

How Can Users and Organizations Protect Themselves?

Protection against TCLBanker requires a multi-layered approach. Users should only download software from official vendor websites and verify digital signatures before installation. Organizations should deploy endpoint detection and response (EDR) solutions capable of detecting suspicious process behavior — particularly unauthorized access to messaging applications and email clients via COM automation.

Financial institutions should implement Zero Trust principles for customer authentication, including multi-factor authentication and behavioral biometrics that can detect when a legitimate user's session is being manipulated by overlay attacks. Security teams should also monitor for indicators of compromise related to TCLBanker's command-and-control infrastructure.