TCLBanker is a self‑spreading banking Trojan #fitech #malware

-




TCLBanker is a new, sophisticated banking trojan discovered in May 2026, notable for combining real‑time banking fraud, advanced evasion, and worm‑like self‑propagation. It has been analyzed in depth by Elastic Security Labs and reported widely by independent security researchers and media outlets. [bleepingcomputer.com], [aviatrix.ai]

Researchers assess TCLBanker as a major evolution of Brazilian (LATAM) banking malware, linked to older families such as Maverick and SORVEPOTEL, but significantly expanded in capability and stealth. [bleepingcomputer.com], [pcrisk.com]

Targeting and Scope

  • Primary targeting: Brazil
  • Target selection logic: Checks system timezone, keyboard layout, and locale
  • Targets:

Although initially focused on Brazil, researchers warn that LATAM banking trojans historically expand to other regions, meaning TCLBanker may evolve into a broader international threat. [bleepingcomputer.com]

Initial Infection Vector

Trojanized Software Installer

TCLBanker is distributed via a malicious MSI installer impersonating a legitimate Logitech AI Prompt Builder application. [bleepingcomputer.com], [aviatrix.ai]

Key techniques:

  • DLL side‑loading to execute malicious code within a trusted process
  • Avoids triggering traditional signature‑based security alerts [bleepingcomputer.com]

Self‑Spreading (Worm) Capabilities

One of TCLBanker’s most concerning features is automatic lateral spread:

  • Hijacks the victim’s:
    • WhatsApp
    • Microsoft Outlook
  • Sends malicious installers to contacts without user interaction
  • Turns standard business and personal communication tools into propagation channels [bleepingcomputer.com], [aviatrix.ai]

This capability allows rapid outbreak-style expansion, uncommon in banking trojans.

Banking Fraud Mechanism

Browser Monitoring

  • Uses Windows UI Automation APIs
  • Monitors browser address bars every second
  • Activates only when a victim visits a targeted financial site [pcrisk.com]

Overlay-Based Credential Theft

Once triggered, TCLBanker:

  • Establishes a WebSocket connection to its command‑and‑control (C2) server
  • Displays convincing fake overlays, including:

Operators can selectively mask real application areas, allowing partial visibility to maintain realism while harvesting credentials.

Remote Control Capabilities

During an active banking session, operators can perform full interactive control, including:

  • Live screen streaming
  • Screenshot capture
  • Keylogging
  • Clipboard hijacking
  • Shell command execution
  • File system access
  • Process enumeration
  • Remote mouse and keyboard control [bleepingcomputer.com], [pcrisk.com]

This enables real‑time account takeover and fraud, not merely offline credential theft.

Stealth, Defense Evasion, and Anti‑Analysis

TCLBanker incorporates extensive evasion techniques:

  • Detects analysis and debugging tools (IDA, Ghidra, x64dbg, dnSpy, Frida, Process Hacker, etc.)
  • Environment‑based payload decryption that fails in sandboxes
  • Persistent watchdog thread to maintain execution
  • Repeatedly kills Task Manager
  • Blocks keyboard shortcuts (Alt+F4, Windows key, PrintScreen, Tab, Escape) [bleepingcomputer.com], [pcrisk.com]

Because it executes inside a legitimate Logitech context, endpoint detection is significantly harder.

Malware Maturity and Evolution

Elastic researchers note:

  • Some modules appear unfinished or evolving
  • Code artifacts suggest possible AI‑assisted development
  • Campaign tracked internally as REF3076 [bleepingcomputer.com], [pcrisk.com]

This strongly indicates ongoing development, not a static or one‑off malware strain.

Why TCLBanker Is Significant

TCLBanker stands out because it:

  • Combines banking trojan + RAT + worm
  • Enables interactive, operator‑driven fraud
  • Spreads via trusted communication tools
  • Uses modern Windows APIs instead of basic browser injection [bleepingcomputer.com], [aviatrix.ai]

Security researchers consider it one of the more dangerous banking trojans observed in 2026.

Defensive Considerations (High‑Level)

Common recommendations from analysts include:

  • Block or restrict MSI execution where possible
  • Monitor for unusual Outlook/WhatsApp automation
  • Use behavior‑based EDR rather than signature‑only AV
  • Train users to distrust unexpected “software updates” or “bank support” screens [aviatrix.ai], [pcrisk.com]

Important Clarification

TCLBanker is malware
Not a bank, product, or legitimate financial service
Not related to any credit union or company named “TLC”

Below is a clean MITRE ATT&CK mapping for the TCLBanker Banking Trojan, based on public analyses released in May 2026, primarily by Elastic Security Labs and corroborated by other security research outlets. Each technique is mapped to observed behavior, not speculation.

TCLBanker → MITRE ATT&CK Mapping

Scope: Windows Enterprise
ATT&CK Version: v14 / v15 (techniques unchanged)

🧭 Initial Access

T1195.002 – Supply Chain Compromise: Compromised Software Dependencies

  • Distributed via a trojanized MSI installer impersonating Logitech AI Prompt Builder
  • Victims believe they are installing legitimate software [bleepingcomputer.com], [aviatrix.ai]

🚀 Execution

T1059.003 – Command and Scripting Interpreter: Windows Command Shell

T1204.002 – User Execution: Malicious File

  • Infection requires the user to manually run a malicious installer [aviatrix.ai]

🔒 Persistence

T1574.002 – Hijack Execution Flow: DLL Side-Loading

  • Malware loads within a trusted Logitech process via DLL side‑loading
  • Enables persistent execution while evading detection [bleepingcomputer.com]

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys

  • Persistence mechanisms consistent with LATAM banking trojans were observed (registry-based auto‑start behavior referenced by analysts) [pcrisk.com]

🛡️ Defense Evasion

T1622 – Debugger Evasion

T1497.001 – Virtualization / Sandbox Evasion

T1562.001 – Impair Defenses: Disable or Modify Tools

🔍 Discovery

T1010 – Application Window Discovery

  • Continuously monitors browser address bars using Windows UI Automation APIs
  • Detects when a victim navigates to a targeted financial website [pcrisk.com]

T1057 – Process Discovery

🧑‍💻 Credential Access

T1056.001 – Input Capture: Keylogging

T1115 – Clipboard Data

T1566 – Phishing (Overlay-Based Social Engineering)

🎮 Command and Control

T1071.001 – Application Layer Protocol: Web Protocols

T1105 – Ingress Tool Transfer

  • Modular design allows operators to deploy additional components during sessions [pcrisk.com]

🧨 Lateral Movement / Propagation

T1534 – Internal Spearphishing

📤 Exfiltration

T1041 – Exfiltration Over C2 Channel

🧱 Impact (Fraud Enablement)

T0826 – Loss of Availability (User Lockout Techniques)

  • Blocks keyboard shortcuts:
    • Alt+F4
    • Windows key
    • PrintScreen
  • Maintains control during fraudulent transactions [pcrisk.com]

🧠 Why This Mapping Matters

TCLBanker is not just a banking trojan:

  • RAT (real‑time operator control)
  • Social engineering platform (overlay attacks)
  • Worm (self‑propagation via trusted apps)

That combination is unusual and places TCLBanker across multiple ATT&CK tactics simultaneously, which is why defenders often underestimate it if they look only for “banking malware” signatures [bleepingcomputer.com], [aviatrix.ai]

🔐 Defensive Takeaway

From an ATT&CK perspective, high‑value detections include:

  • T1574.002 (DLL side‑loading)
  • T1010 (UI Automation)
  • T1534 (internal spearphishing)
  • T1071.001 (WebSocket C2)

These behaviors are far more reliable indicators than static hashes.


Comments

Post a Comment

Popular posts from this blog

Entire List Leaked for Canvas Ransomware Attack

-
Image
  ( NOTE FROM REDDITOR: All attempts at requesting edit access will be denied. If something is needed, you may email me at: storeluxorsales@gmail.com ) I am not affiliated with this group in any way - so also, please do stop asking (looking at you random press sites). - If anyone wants to save this document, feel free to make a copy. I will be deleting this copy on 10/1/2026. File from link begins below this line. _____________________ This file has been downloaded from the ShinyHunters Data Leak Site (DLS). Our DLS is accessible at these locations:     - http://shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion/     - http://shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion/ > These files were leaked on the ShinyHunters DLS because the victim did not pay a ransom or cooperate and comply with the ShinyHunters group. src;refs;lnks; http://web.archive.org/web/20260322033123/https://shinyhunte.rs/ http://web.archive...
Read more

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more

Broadcom is dismantling of VMware Cloud Service Providers (VCSPs)

-
Image
  What Broadcom Is Doing to the VCSP Program 1. Broadcom is shutting down the existing VCSP program Multiple sources confirm that Broadcom issued formal non‑renewal notices to many VMware Cloud Service Providers, ending contracts as of January 26, 2026 . Partners may finish existing commitments but cannot renew or create new long‑term contract commitments . 2. Moving to an invite‑only VCSP ecosystem Broadcom is replacing the open VCSP model with a highly selective, invite‑only program , keeping only a small fraction of providers . For example: • Only 19 providers in the U.S. were retained out of thousands. • Hundreds of European providers are being cut loose. 3. White Label program sunset (critical for smaller providers) The White Label model—previously the path for smaller CSPs—has been terminated (or will be phased out depending on region). This effectively eliminates market access for many small providers. 4. Providers that are cut must hand off customers Broadcom directs ...
Read more

FBI Seizes RAMP Cybercrime Forum

-
Image
The FBI has taken down RAMP (Russian Anonymous Marketplace) , one of the most active cybercrime forums used by ransomware gangs, initial access brokers, malware sellers, and extortion groups . The takedown affected both the clearnet and dark‑web (Tor) domains, which now display official FBI/DOJ seizure notices. Why RAMP Was Significant RAMP was: Known as “the only place ransomware allowed.” A major hub for groups including LockBit, ALPHV/BlackCat, Conti, DragonForce, Qilin, RansomHub , and more. A high‑trust marketplace offering malware, exploits, tutorials, and escrow services . Home to 14,000+ vetted users , some paying fees for anonymity. Impact of the Seizure 1. Major Disruption to Criminal Infrastructure The takedown is seen as a meaningful blow against ransomware‑as‑a‑service communities. 2. Forced Migration to Other Forums Criminal groups are already shifting activity to alternative platforms like Rehub . These migrations are chaotic and risky for criminals due to: Loss of rep...
Read more

CodeRED emergency alert system is currently down across many regions!

-
Image
  CodeRED emergency alert system is currently down across many regions in the U.S. following a ransomware attack on its vendor, Crisis24. The incident has disrupted critical emergency communications and exposed user data. What Happened Attack Type : Ransomware Threat Actor : INC ransomware group Target : OnSolve CodeRED platform (owned by Crisis24) Impact : Emergency alerts (weather, missing persons, terror threats) are unavailable in many municipalities. Personal data compromised : names, addresses, emails, phone numbers, and passwords used to create CodeRED accounts. Key Details Date of Outage : Began in early November 2025, publicly confirmed Nov 26 Scope : Hundreds of municipalities affected nationwide Response : Crisis24 is migrating customers to a new CodeRED platform hosted in a separate, hardened environment. Some cities (e.g., Douglas County, CO) have terminated their CodeRED contracts and are seeking replacements. Others are using social media, door-...
Read more

Notepad++ update service was compromised

-
Image
  Notepad++ update service was compromised Multiple independent security investigations confirm that Notepad++’s update infrastructure was hijacked between June and December 2025 . This was a supply-chain attack originating from a compromise at the hosting‑provider level , not from Notepad++’s code. What exactly was compromised? 1. Update traffic was intercepted and redirected Attackers manipulated the update endpoint ( getDownloadUrl.php ) so that some users requesting updates were silently redirected to malicious servers serving tampered executables . 2. It was targeted , not widespread All sources emphasize that only specific users were affected, likely in an espionage‑focused campaign , not a mass malware distribution effort. 3. Hosting provider compromise, not a Notepad++ bug The attackers gained access to the shared hosting environment , losing direct access in September 2025 but maintaining stolen internal service credentials through December 2, 2025. Attribution: Likely...
Read more

SitusAMC Breached!

-
Image
  What Happened? On November 12, 2025 , SitusAMC detected unauthorized access to its systems. Hackers exfiltrated sensitive corporate and client-related data. The attack did not involve ransomware or encrypting malware , suggesting the goal was data theft rather than disruption. [techcrunch.com] Data Impacted Corporate data : Accounting records, legal agreements, and internal contracts. Client-related data : Information tied to residential mortgage loans, which may include personally identifiable information (PII) such as Social Security numbers and financial details. The exact scope and number of affected individuals is still under investigation. [ibtimes.co.uk] Who Is Affected Major U.S. banks including JPMorgan Chase, Citigroup, and Morgan Stanley were notified that their data may have been exposed. SitusAMC works with hundreds of lenders, so the potential ripple effect across the financial sector is significant. [webpronews.com] SitusAMC has contained the breach,...
Read more

Cyber Monday Fraud Alert

-
Image
Cyber Monday brings incredible deals—but it also attracts cybercriminals looking to exploit shoppers . Fraudsters use fake websites, phishing emails, and misleading ads to steal money, personal information, or identities. Common Scams Fake retailer sites : Look-alike domains with odd spellings or missing security (no HTTPS). Phishing emails & texts : “Exclusive deals” or “delivery issues” that link to malicious sites. Too-good-to-be-true offers : Deep discounts on electronics, gift cards, or luxury items. Charity scams : Fraudulent donation sites targeting Giving Tuesday generosity. How to Stay Safe Shop only on trusted, secure websites (look for HTTPS). Type retailer URLs directly— don’t click links in emails or ads. Use credit cards for stronger fraud protection. Compare prices across trusted platforms to spot fake “discounts.” Verify charities before donating. Report Fraud If you suspect a scam: Contact your bank or credit card provider immediately . Report ...
Read more