This Banking Trojan Hijacks Your WhatsApp to Spread Itself. It Targets 59 Brazilian Banks via a Fake Logitech Installer.
Elastic Security Labs disclosed TCLBANKER on May 7 — a Brazilian banking trojan that targets 59 banks via DLL sideloading against Logitech's AI Prompt Builder, deploys WPF overlays for credential theft, and includes worm modules that hijack victims' WhatsApp Web and Outlook to spread itself.
The trojan is geofenced to Brazil. The worm modules hijack authenticated WhatsApp and Outlook sessions to spread. The combination is the operational evolution that distinguishes Latin American banking malware in 2026.
SÃO PAULO — Elastic Security Labs disclosed on May 7, 2026 a sophisticated Brazilian banking trojan dubbed TCLBANKER, distributed through trojanized MSI installers that abuse Logitech's legitimate signed application Logi AI Prompt Builder via DLL sideloading. The campaign, tracked as REF3076, targets 59 Brazilian banking, fintech, and cryptocurrency platforms, deploys full-screen WPF overlays for credential theft and social engineering, and includes two self-propagating worm modules that hijack victims' authenticated WhatsApp Web and Microsoft Outlook sessions to send spam and phishing to their contacts.
For multinational organizations with operations in Brazil or Brazilian-speaking employee populations, this is now an active threat surface. Elastic researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus assess the campaign is in early operational stages — developer artifacts include debug logging paths, test process names, and a phishing site under construction. The malware is positioned as a major evolution of the older Maverick and SORVEPOTEL Brazilian banking malware family, and adoption of self-spreading mechanisms by Latin American banking trojan operators means campaign volume and reach should be expected to scale aggressively in the months ahead.
How it gets in
TCLBANKER is distributed via a trojanized MSI installer bundled inside a ZIP file. When installed, the malware abuses the legitimate signed Logitech application Logi AI Prompt Builder via DLL sideloading: a malicious DLL named screen_retriever_plugin.dll masquerades as a legitimate Flutter plugin of the same name, auto-loads when the host application starts, and only executes if loaded by LogiAiPromptBuilder.exe or tclloader.exe. The two embedded modules — a banking trojan and a worm propagator — are .NET Reactor-protected.
The geofencing is strict: TCLBANKER requires at least two of region code, time zone, system locale, or keyboard layout to match Brazil before it will execute. Sandboxes that don't match silently fail to decrypt the payload — environment-gated decryption is one of the trojan's anti-analysis tricks, alongside anti-debugging, ETW patching, and a watchdog that searches for x64dbg, IDA, dnSpy, Frida, Ghidra, and ProcessHacker.
The WPF overlay system
Once active, TCLBANKER monitors the victim's active browser address bar every second via Windows UI Automation across Chrome, Firefox, Edge, Brave, Opera, and Vivaldi. When a targeted bank URL is detected, the malware opens a WebSocket session to wss://mxtestacionamentos[.]com/ws and the operator gains full remote control of the infected machine. The operator then deploys full-screen, borderless WPF overlays — invisible to screen-capture tools because of the WDA_EXCLUDEFROMCAPTURE flag, and capable of blocking the Windows key, the Escape key, and the Task Manager during active sessions.
Overlay types include fake credential prompts, PIN keypads, phone-number collection forms, fake "bank support" waiting screens used as vishing pretexts, fake Windows Update screens, and "cutout" overlays that show only selected portions of legitimate apps while masking the rest. For a CISO at a financial services firm, the relevant detail is that screen-recording-based detection of overlay attacks is no longer reliable — the attack is designed to be invisible to the tools that would normally surface it.
The worm modules
The first worm module searches Chromium browser profiles for authenticated WhatsApp Web IndexedDB data, launches a hidden Chromium instance to hijack the victim's account, harvests contacts, filters for Brazilian phone numbers, and uses the open-source WPPConnect project to automate sending spam from the victim's account to TCLBANKER distribution platforms. The second module abuses Microsoft Outlook through COM automation to harvest contacts and send fake emails from the victim's mailbox to those contacts.
The operational evolution this represents matters more than the technical details. By hijacking authenticated user sessions to send messages from victim accounts, TCLBANKER inherits the trust and deliverability of legitimate communications, bypassing email gateways and reputation-based defenses. The pattern echoes the broader 2026 SaaS-era IR challenge: containment now requires session-level intervention across multiple authenticated services, not just endpoint cleanup.
The CyberSignal Analysis
Signal 01 — Worm propagation via authenticated sessions is the new normal
Self-spreading malware that uses victim accounts to reach contacts has been around for decades, but the combination of authenticated WhatsApp Web hijacking and Outlook COM automation in a single banking trojan is new. The deliverability advantage is real: messages from a known sender's authenticated account land in inboxes that block messages from any other vector. Expect this dual-channel propagation to spread to other regions and other banking trojan families within 12 to 24 months.
Signal 02 — Logitech application allow-listing needs a second look
Logi AI Prompt Builder is a legitimate signed Logitech application, and many enterprise environments allow it by default because it ships with Logitech peripherals. The DLL sideloading attack against it produces a malicious payload that runs under the trust signal of a major hardware vendor. Audit application allow-listing for Logitech utilities specifically — and more broadly, for any vendor whose signed applications are common enough that the publisher signature alone won't trigger scrutiny.
Signal 03 — Screen-recording detection is no longer sufficient
WDA_EXCLUDEFROMCAPTURE is a legitimate Windows Display Affinity flag designed to prevent sensitive content from appearing in screen captures. TCLBANKER weaponizes it. Any detection or monitoring strategy that relies on watching what the user sees on screen — including some user-behavior analytics tools and remote support session recording — will miss the overlay attack entirely. Update detection logic to focus on process behavior and outbound WebSocket traffic rather than visual signals.
What to do this week
- Block downloads of cracked or unofficial Logitech installer packages at the email gateway and web proxy. Brief Brazilian-speaking employees on the WhatsApp message hijack pattern — messages from contacts pushing TCLBANKER distribution platforms come from compromised accounts, not the contact directly.
- Add detection rules for: DLL side-loading patterns where
screen_retriever_plugin.dllis loaded byLogiAiPromptBuilder.exe; WebSocket connections tomxtestacionamentos[.]comor pattern-matching domains; hidden Chromium instances launched without user interaction; WPF overlays with WDA_EXCLUDEFROMCAPTURE; and COM automation calls to Microsoft Outlook from non-user processes. - Update IR playbooks: when an endpoint is contained, scope must include the victim's WhatsApp Web sessions and Outlook accounts to prevent further spread within the organization. Endpoint cleanup alone is not sufficient.
