What Happened
Elastic Security Labs published research on May 8, 2026 identifying TCLBANKER, a new Brazilian banking trojan tracked under the campaign name REF3076. The malware is a significant evolution of the Maverick banking trojan family and introduces self-spreading capabilities not seen in its predecessors.
The initial infection vector is a trojanized MSI installer package for Logi AI Prompt Builder — a legitimate, digitally signed Logitech application built on the Flutter framework. The installer abuses DLL sideloading against LogiAiPromptBuilder.exe to deploy the TCLBANKER payload. Because the file carries a valid Logitech code signature, it passes many security scans without triggering alerts.
Once installed, TCLBANKER deploys two primary components. The first is a banking trojan that monitors the victim’s browser address bar and activates when any of 59 targeted banking, fintech, or cryptocurrency domains are visited. It deploys Windows Presentation Foundation (WPF) full-screen overlay screens — including fake Windows Updates, credential harvesting prompts, and bogus progress bars — all designed to extract banking credentials through operator-driven social engineering. The overlays are also hidden from screen capture tools.
The second component is a dual-channel worm. A WhatsApp Web module silently hijacks the victim’s authenticated WhatsApp browser session and sends malicious messages to their contacts. An Outlook email bot uses the Microsoft Outlook application to send infected emails to the victim’s address book. Both propagation methods abuse authenticated, trusted communication channels — making the messages appear legitimate to recipients. Elastic assesses the campaign is still in early operational stages based on development artifacts and phishing infrastructure that was not fully active at time of analysis.
Why This Matters for Canadian Organizations
The TCLBANKER campaign is currently assessed as Brazil-focused, but the targeting of 59 financial platforms and the use of self-spreading worm modules creates meaningful risk for Canadian organizations. Several of the targeted platforms operate in Canada, and the WhatsApp and Outlook worm channels have no geographic boundary. A single infection inside a Canadian financial institution, accounting firm, or fintech company spreads automatically through the organization’s own communication tools.
The signed Logitech installer delivery method is particularly concerning because many organizations whitelist software from known vendors or rely on code signing as a trust signal. Security teams running application allowlisting based solely on publisher signature will not block this payload. The use of WPF overlays that evade screen capture also defeats certain endpoint monitoring and session recording controls.
Canadian financial institutions are subject to OSFI Guideline B-13 obligations around technology and cyber risk. A breach originating from a banking trojan targeting employee or customer credentials triggers both internal incident response procedures and PIPEDA breach notification obligations if personal financial data is accessed or exfiltrated.
What to Do
Block the delivery mechanism: Audit software deployment controls and verify that MSI packages from third-party installers, even signed ones, are vetted before execution in enterprise environments. Flag Logitech Logi AI Prompt Builder installations that appear outside of IT-managed deployment processes.
Review endpoint detection for DLL sideloading patterns against signed executables. Most modern EDR platforms flag DLL sideloading when a legitimate signed binary loads an unexpected DLL from the same directory. Verify your EDR policy covers this detection category.
Alert users about the WhatsApp and Outlook worm propagation channels. Security awareness messaging should note that malicious links or attachments arriving through WhatsApp or email contacts are not inherently trustworthy even if they appear to come from a known person. Report suspicious Logitech installer activity to your security operations team immediately.
Source: The Hacker News | BleepingComputer
