THREAT researchers have flagged TCLBANKER, a Brazilian banking trojan described as capable of targeting 59 banking, fintech and cryptocurrency platforms, with Elastic Security Labs tracking it under the moniker REF3076. The malware package combines a loader with anti-analysis features, a full banking trojan module and a worm component that propagates via WhatsApp Web and a Microsoft Outlook spam bot, aiming to recombine social engineering with worm-like dispersion.
The campaign reportedly bundles a malicious MSI installer inside a ZIP file and abuses a signed Logitech program called Logi AI Prompt Builder to underpin execution, using DLL side-loading to run a loader named screen_retriever_plugin.dll that monitors for analysis tools and disables ETW telemetry.
Once active, TCLBANKER attempts persistence through a scheduled task and beaconing to an external server, before deploying a WebSocket-based command loop to run shell commands, capture screenshots, stream screens, harvest keystrokes, and remotely control input and files.
The attack chain also leverages a social-engineering overlay framework to harvest credentials and can spread through the WhatsApp worm that hijacks sessions and an Outlook agent that sends fake emails to contacts; attribution for Maverick-style techniques is described as a claim, with Trend Micro tying the wider threat cluster to Water Saci.