{
  "name": "TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook",
  "slug": "tclbanker-brazilian-banking-trojan-spreading-via-whatsapp-and-outlook",
  "description": "A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.",
  "published": "2026-05-06T17:35:01+00:00",
  "created_at": "2026-05-06T17:35:01+00:00",
  "modified_at": "2026-05-08T06:47:23+00:00",
  "created_at_opencti": "2026-05-06T17:35:01+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-05-06",
    "maverick",
    "sorvepotel",
    "tclbanker",
    "whatsapp worm"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626"
      },
      {
        "id": "",
        "name": "668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40"
      },
      {
        "id": "",
        "name": "63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394"
      },
      {
        "id": "",
        "name": "8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:d62d4c66ee50e421",
        "name": "SORVEPOTEL",
        "slug": "sorvepotel"
      },
      {
        "id": "legacy:malware:274d906cebb6c7b5",
        "name": "TCLBANKER",
        "slug": "tclbanker"
      },
      {
        "id": "legacy:malware:5c995bbb81b028b8",
        "name": "MAVERICK",
        "slug": "maverick"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c7352199-53b4-4255-9bc5-f17baed2c099",
        "name": "REF3076",
        "slug": "ref3076"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "documentos-online.com"
      },
      {
        "id": "",
        "name": "mxtestacionamentos.com"
      },
      {
        "id": "",
        "name": "saogeraldoshiping.com"
      },
      {
        "id": "",
        "name": "recebamais.com"
      },
      {
        "id": "",
        "name": "doccompartilhe.com"
      },
      {
        "id": "",
        "name": "window.navigator.chrome"
      },
      {
        "id": "",
        "name": "arquivos-omie.com"
      },
      {
        "id": "",
        "name": "afonsoferragista.com"
      }
    ]
  },
  "external_refs": [
    "https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan",
    "https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa"
  ]
}