ACCORDING to Elastic Security Labs, TCLBANKER is a Brazilian banking Trojan spreading via WhatsApp and Outlook, and is tracked as REF3076, a major update of MAVERICK/SORVEPOTEL family. The campaign features a loader with anti-analysis and two embedded modules: a full banking trojan and a self-propagating worm, with two distribution agents—a WhatsApp worm and an Outlook email bot—both using the same C2 infrastructure hosted on Cloudflare Workers.
The worm modules connect to a C2 at campanha1-api.ef971a42.workers[.]dev and download the TCLBANKER payload from documents.ef971a42.workers[.]dev, while the phishing and bot infrastructure leverages phishing pages such as arquivos-omie[.]com, created on 15 April 2026, to enable initial access.
The actors’ infrastructure also uses a single set of credentials for authentication (Bearer token 0d21613a-2609-45fc-83ff-d0feaa0c891f) and a Google Cloudflare-backed domain footprint, with ongoing development suggesting an early operational stage as of 7 May 2026.