Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Security researchers have identified TCLBanker, a sophisticated Brazilian banking trojan actively targeting 59 banking, fintech, and cryptocurrency platforms through a multi-stage malware campaign tracked as REF3076. The TCLBanker malware is distributed via trojanized MSI installer packages masquerading as legitimate Logitech Logi AI Prompt Builder application installers bundled inside ZIP archive files. Beyond traditional banking trojan capabilities for credential theft and financial fraud, TCLBanker incorporates advanced self-propagating worm functionality enabling automated distribution through both WhatsApp Web session hijacking and Microsoft Outlook COM automation, significantly amplifying its potential reach across Brazilian user populations. The TCLBanker campaign primarily targets Windows platforms and focuses on Chromium-based browsers including Chrome, Edge, Brave, Opera, and Vivaldi, alongside Firefox, Microsoft Outlook desktop clients, and WhatsApp Web sessions.
The TCLBanker malware delivery mechanism exploits DLL side-loading vulnerabilities by planting a malicious dynamic link library file named screen_retriever_plugin.dll disguised as a legitimate Flutter framework plugin component. When victims execute the trojanized Logitech application installer, the legitimate digitally signed Logitech executable unknowingly loads the malicious DLL, triggering the TCLBanker infection chain. TCLBanker distribution campaigns observed by researchers primarily utilize phishing lures impersonating Brazilian business services including fake electronic invoice notifications (NFe – Nota Fiscal Eletrônica) and quotation request documents distributed through WhatsApp messages and Outlook phishing emails sent from previously compromised user accounts, leveraging trusted sender reputations to bypass spam filtering mechanisms.
Before executing its malicious payloads, the TCLBanker loader implements extensive environment validation checks designed to evade security analysis and sandbox detection systems. The malware creates multiple system fingerprints using sophisticated anti-debugging techniques including Process Environment Block flag checks, heap structure analysis, hardware breakpoint detection, and execution timing measurements. TCLBanker validates numerous system characteristics including hypervisor presence indicators, available disk space, CPU and RAM resources, sandbox-associated usernames, and Brazilian Portuguese locale settings. These collected fingerprints are combined into an environment-specific cryptographic hash that functions as the AES-256 CBC decryption key for embedded malicious payloads, ensuring that if the compromised system does not match expected production environment characteristics, payload decryption fails silently, effectively preventing malware execution in security research and analysis environments.
The primary TCLBanker banking trojan component, internally identified as Tcl.Agent, establishes persistence through a hidden Windows scheduled task named RuntimeOptimizeService configured to execute at user logon events. The malware continuously monitors victim browser activity using Microsoft UI Automation APIs, comparing visited URLs against a hardcoded target list of 59 Brazilian banking, fintech, and cryptocurrency platform domains. When TCLBanker detects access to targeted financial services, it initiates WebSocket-based command-and-control sessions enabling remote attackers to execute shell commands, capture screenshots, stream victim screens in real-time, log keystrokes, hijack clipboard contents, remotely control mouse and keyboard input, browse filesystem contents, and manage running processes. During active fraud sessions, TCLBanker executes a Task Manager killer thread every 500 milliseconds to prevent victims from inspecting malicious processes. The malware deploys sophisticated WPF-based full-screen overlay frameworks displaying convincing bank-themed phishing interfaces including PIN entry prompts, credential collection screens, fake progress indicators, vishing wait screens, and counterfeit Windows Update pages designed to maintain victim engagement during fraudulent transactions.
The TCLBanker worm component, tracked as Tcl.WppBot, enables large-scale automated propagation through dual distribution channels exploiting both WhatsApp Web and Microsoft Outlook platforms. The WhatsApp propagation module hijacks authenticated browser sessions by cloning IndexedDB session storage data, launching headless Chromium browser instances with bot-detection bypass configurations, and automatically transmitting phishing messages to up to 3,000 Brazilian contacts in single campaign waves. The Outlook propagation module abuses PowerShell Component Object Model automation capabilities to harvest email contacts from victim mailboxes and distribute phishing emails directly from compromised Outlook accounts, leveraging established sender trust relationships to evade spam filtering systems. Researchers analyzing TCLBanker infrastructure observed that the malware’s entire command-and-control and distribution infrastructure is hosted on Cloudflare Workers platform under a single account identifier, providing attackers with resilient, low-cost infrastructure resistant to takedown efforts.
TCLBanker banking trojan is delivered to victims through malicious ZIP archive files containing trojanized MSI installer packages that abuse legitimate, digitally signed Logitech Logi AI Prompt Builder application binaries. The TCLBanker malware employs DLL side-loading techniques by planting a malicious dynamic link library file named screen_retriever_plugin.dll that masquerades as a legitimate Flutter framework plugin component typically used by cross-platform applications. When victims execute the Logitech application installer from the trojanized package, the legitimate signed LogiAiPromptBuilder.exe binary unknowingly loads the malicious screen_retriever_plugin.dll from the application directory, triggering the TCLBanker infection chain without generating security alerts from application whitelisting or digital signature validation systems. Distribution campaigns associated with TCLBanker primarily leverage phishing lures impersonating Brazilian business services including fake NFe electronic invoice notifications and quotation request documents distributed via WhatsApp messages and Microsoft Outlook phishing emails sent from previously compromised accounts, exploiting trusted sender reputations to increase victim interaction rates.
Before activating its malicious payloads, the TCLBanker loader performs extensive environment validation checks designed to evade security analysis and automated sandbox detection systems. The malware implements sophisticated anti-debugging techniques including Process Environment Block flag validation, heap structure analysis, hardware breakpoint detection, and execution timing measurements to identify debugger presence. TCLBanker systematically validates numerous system characteristics including hypervisor presence through CPUID instruction analysis, available disk space thresholds, CPU core counts, RAM capacity, sandbox-associated usernames like “malware”, “sandbox”, “virus”, and “sample”, and Brazilian Portuguese locale configuration. These collected environment fingerprints are cryptographically combined into an environment-specific hash value that serves as the AES-256 CBC decryption key for embedded malicious payload modules. If the compromised system environment does not match expected production characteristics, AES payload decryption fails silently without error messages, effectively preventing TCLBanker execution in security research laboratories and automated malware analysis sandboxes. To further evade detection and monitoring, TCLBanker unhooks ntdll.dll to remove security product instrumentation, generates direct system call trampolines bypassing user-mode hooks, patches Event Tracing for Windows telemetry collection functions, and continuously monitors for active security research tools including IDA Pro, Ghidra, x64dbg, dnSpy, Frida, ProcessHacker, and CheatEngine, terminating execution if any are detected.
The primary TCLBanker banking trojan component, internally identified as Tcl.Agent module, establishes system persistence through a hidden Windows scheduled task named RuntimeOptimizeService configured to execute the malware payload at user logon events. TCLBanker continuously monitors victim web browser activity using Microsoft UI Automation API frameworks, extracting currently visited URLs and comparing them against a hardcoded target list containing 59 Brazilian banking institutions, fintech platforms, and cryptocurrency exchange domains. When TCLBanker detects victim access to targeted financial services, the malware initiates a WebSocket-based command-and-control communication session with attacker infrastructure, enabling real-time remote access capabilities. The TCLBanker C2 protocol supports comprehensive remote access commands including arbitrary shell command execution, full-screen screenshot capture, real-time screen streaming, keystroke logging, clipboard data hijacking, remote mouse and keyboard control, filesystem browsing, and running process management. During active fraud sessions, TCLBanker executes a protective Task Manager killer thread every 500 milliseconds that automatically terminates any Windows Task Manager instances, preventing victims from inspecting malicious processes and network connections during fraudulent transaction execution.
TCLBanker implements an advanced Windows Presentation Foundation-based full-screen overlay framework specifically designed for social engineering and credential theft during banking sessions. The malware dynamically generates convincing bank-themed phishing interfaces including PIN entry prompts, multi-factor authentication token collection screens, fake transaction processing progress bars, vishing call waiting screens instructing victims to remain available for verification calls, and counterfeit Windows Update pages maintaining victim engagement during background fraudulent transactions. These TCLBanker overlay interfaces operate as borderless topmost windows programmed to resist standard dismissal methods and incorporate anti-capture mechanisms preventing the overlays from appearing in screenshot captures or screen-sharing sessions, ensuring victims cannot easily document the fraud in progress or request remote assistance without alerting attackers. The overlay framework enables TCLBanker operators to conduct sophisticated man-in-the-browser attacks capturing credentials and transaction authorization tokens while maintaining victim trust through professional-appearing interfaces mimicking legitimate banking security procedures.
The TCLBanker worm module, tracked as Tcl.WppBot component, enables large-scale automated malware propagation through dual distribution channels exploiting WhatsApp Web and Microsoft Outlook platforms. The WhatsApp propagation mechanism hijacks authenticated browser sessions by cloning IndexedDB session storage data containing WhatsApp Web authentication tokens, launching headless Chromium browser instances with bot-detection bypass configurations including custom user agent strings and behavioral evasion scripts, and automatically transmitting phishing messages containing TCLBanker distribution links to up to 3,000 contacts extracted from victim WhatsApp contact lists in single automated campaign waves. The Microsoft Outlook propagation module abuses PowerShell Component Object Model automation by instantiating Outlook.Application COM objects, harvesting email addresses from victim inbox folders and contact lists, and distributing phishing emails directly from compromised Outlook desktop client installations, leveraging established sender trust relationships and bypassing external SMTP gateway spam filtering mechanisms. Security researchers analyzing TCLBanker command-and-control infrastructure identified that the malware’s entire C2 and distribution infrastructure is hosted on Cloudflare Workers serverless computing platform under a single account identifier, providing attackers with geographically distributed, DDoS-resistant infrastructure that is difficult to disrupt through traditional takedown procedures.
Organizations should deploy security detection rules specifically targeting the loading of screen_retriever_plugin.dll by LogiAiPromptBuilder.exe processes or any unsigned DLL files loaded by legitimate Flutter-based application frameworks. Implement endpoint detection and response monitoring that generates high-priority alerts when DLL files are loaded from non-standard installation paths such as %LocalAppData%\LogiAI or user-writable temporary directories rather than protected Program Files locations. Security teams should establish baseline profiles of legitimate Logitech application behavior and flag any deviations including unexpected DLL dependencies or network communication patterns inconsistent with normal software update mechanisms. Supplement technical controls with user awareness training highlighting the risks of executing MSI installer packages from untrusted sources including email attachments and WhatsApp file transfers, emphasizing that legitimate software vendors do not distribute applications through personal messaging platforms.
Organizations must implement behavioral detection capabilities targeting processes that reload ntdll.dll system library from disk, a common unhooking technique used by advanced malware to remove security product instrumentation. Deploy detection rules identifying processes that patch EtwEventWrite function with return instructions to disable Event Tracing for Windows telemetry collection, a defensive evasion tactic employed by TCLBanker. Security operations teams should leverage existing detection rule repositories including Elastic Security detection rules for NTDLL Memory Protection Change via Unsigned DLL and Potential NTDLL Memory Unhooking, adapting these signatures for organizational security monitoring platforms. Establish continuous monitoring for processes exhibiting suspicious memory manipulation behaviors including VirtualProtect API calls targeting system DLL memory regions with PAGE_EXECUTE_READWRITE permissions, and correlate these behaviors with other indicators including network connections to Cloudflare Workers infrastructure and filesystem access to Brazilian banking platform credential storage locations.
Organizations should enforce application control policies that block execution of unsigned or externally sourced MSI installer packages lacking organizational code signing validation. Implement Microsoft Windows Defender Application Control or AppLocker policies requiring administrative approval for all MSI installation operations, preventing standard users from executing installer packages delivered through phishing campaigns. Audit msiexec.exe execution logs for silent installation flags including /qn parameter that indicate automated malware deployment scenarios rather than interactive user-initiated software installations. Organizations operating in Brazil should implement enhanced scrutiny of MSI packages claiming to be from Logitech or other peripheral device manufacturers, validating digital signatures against known-good publisher certificates and verifying installation packages through official vendor download channels before permitting execution on corporate endpoints.
Organizations should implement user education programs instructing employees to regularly review and terminate active WhatsApp Web sessions from their mobile devices through WhatsApp Settings > Linked Devices menu, preventing unauthorized session persistence. Deploy endpoint monitoring capabilities detecting headless Chromium browser processes accessing WhatsApp Web IndexedDB storage data or exhibiting automated browser activity patterns inconsistent with normal human interaction. For organizations permitting personal device usage on corporate networks, implement network segmentation isolating personal messaging application traffic from access to internal financial systems and sensitive business applications. Consider implementing mobile device management policies that restrict WhatsApp Web usage on corporate workstations or require multi-factor authentication re-validation for WhatsApp Web sessions initiated from new devices, limiting the effectiveness of session hijacking attacks.
Organizations must implement Group Policy or Intune policy configurations restricting COM interop access to Microsoft Outlook Application objects from scripting environments including PowerShell, VBScript, and Windows Script Host. Deploy security monitoring detecting PowerShell scripts that instantiate Outlook.Application COM objects, enumerate inbox contacts, or exhibit automated email composition and sending behaviors characteristic of worm propagation modules. Establish baseline behavioral profiles for legitimate email sending patterns from desktop Outlook clients and generate security alerts for unusual bulk email transmission exceeding normal user patterns, particularly when emails contain suspicious attachments or links matching indicators associated with Brazilian banking trojan campaigns. Supplement technical controls with email gateway filtering rules blocking outbound messages containing links to newly registered domains, Cloudflare Workers URLs, or compressed archive attachments targeting Brazilian recipients.
Organizations operating in Brazil or supporting Brazilian employees should implement enhanced network segmentation and endpoint monitoring specifically for systems accessing banking and financial services platforms. Apply conditional access policies requiring device health attestation, current security patch levels, and multi-factor authentication validation before permitting access to financial institution websites and cryptocurrency exchanges from corporate networks. Implement web proxy or next-generation firewall policies generating security alerts when systems exhibit indicators of TCLBanker infection including WebSocket connections to Cloudflare Workers infrastructure combined with access to targeted Brazilian banking domains. Deploy endpoint detection and response solutions configured to monitor for scheduled tasks with suspicious names like RuntimeOptimizeService, UI Automation API usage targeting browser windows, and rapid Task Manager process termination patterns characteristic of TCLBanker fraud session protection mechanisms.
T1566: Phishing T1566.001: Spearphishing Attachment – TCLBanker campaigns distribute trojanized Logitech installer packages bundled in ZIP archives via phishing emails and WhatsApp messages impersonating Brazilian business services including NFe invoice notifications.
T1218: System Binary Proxy Execution T1218.007: Msiexec – TCLBanker leverages Windows Installer (msiexec.exe) to execute trojanized MSI packages containing malicious payloads disguised as legitimate Logitech application installers.
T1059: Command and Scripting Interpreter T1059.001: PowerShell – TCLBanker worm module abuses PowerShell COM automation to enumerate Outlook contacts and distribute phishing emails from compromised accounts. T1059.003: Windows Command Shell – TCLBanker C2 framework supports remote shell command execution for reconnaissance and lateral movement operations.
T1106: Native API – TCLBanker implements direct system call trampolines and native API invocations to evade user-mode security product hooks.
T1053: Scheduled Task/Job T1053.005: Scheduled Task – TCLBanker establishes persistence through hidden scheduled task named RuntimeOptimizeService configured to execute at user logon.
T1574: Hijack Execution Flow T1574.001: DLL Side-Loading – TCLBanker exploits DLL side-loading by planting malicious screen_retriever_plugin.dll loaded by legitimate signed Logitech executables.
T1140: Deobfuscate/Decode Files or Information – TCLBanker uses environment-specific AES-256 decryption keys derived from system fingerprints to decrypt embedded payloads.
T1027: Obfuscated Files or Information – TCLBanker payloads are protected with .NET Reactor obfuscation preventing static analysis.
T1622: Debugger Evasion – TCLBanker implements PEB flag checks, heap analysis, hardware breakpoint detection, and timing measurements to detect debugging environments.
T1497: Virtualization/Sandbox Evasion T1497.001: System Checks – TCLBanker validates hypervisor presence, disk space, CPU/RAM resources, sandbox usernames, and locale settings before payload execution. T1497.003: Time Based Evasion – TCLBanker employs timing measurements to detect sandboxes using execution acceleration techniques.
T1685: Disable or Modify Tools T1685.001: Disable or Modify Windows Event Log – TCLBanker patches ETW telemetry collection functions to evade security logging.
T1055: Process Injection – TCLBanker unhooks ntdll.dll and manipulates memory protections for evasion purposes.
T1056: Input Capture T1056.001: Keylogging – TCLBanker logs keystrokes during banking sessions to capture credentials and transaction authorization codes. T1056.003: Web Portal Capture – TCLBanker displays WPF-based overlay phishing interfaces capturing credentials for Brazilian financial platforms.
T1185: Browser Session Hijacking – TCLBanker worm module clones WhatsApp Web IndexedDB session data to hijack authenticated sessions for propagation.
T1057: Process Discovery – TCLBanker continuously monitors running processes to detect and terminate security tools and Task Manager.
T1010: Application Window Discovery – TCLBanker uses UI Automation APIs to monitor active browser windows and detect access to targeted banking domains.
T1082: System Information Discovery – TCLBanker collects system information during environment fingerprinting for anti-analysis purposes.
T1614: System Location Discovery T1614.001: System Language Discovery – TCLBanker validates Brazilian Portuguese locale settings as part of environment validation.
T1113: Screen Capture – TCLBanker captures screenshots and streams victim screens in real-time during fraud sessions.
T1115: Clipboard Data – TCLBanker hijacks clipboard contents to steal cryptocurrency wallet addresses and banking information.
T1114: Email Collection T1114.001: Local Email Collection – TCLBanker worm module harvests email contacts from Outlook for phishing distribution.
T1071: Application Layer Protocol T1071.001: Web Protocols – TCLBanker uses WebSocket protocol for real-time C2 communications with attacker infrastructure.
T1102: Web Service – TCLBanker hosts its entire C2 and distribution infrastructure on Cloudflare Workers platform.
T1105: Ingress Tool Transfer – TCLBanker C2 framework supports downloading additional tools and payloads to compromised systems.
T1041: Exfiltration Over C2 Channel – TCLBanker exfiltrates stolen credentials, screenshots, and financial data over WebSocket C2 connections.
T1529: System Shutdown/Reboot – TCLBanker overlay framework includes fake Windows Update screens potentially triggering system reboots during fraud operations.
SHA256 Hashes:
Domains:
IPv4 Address:
Get through updates and upcoming events, and more directly in your inbox