Get 125% / $2,500 on 1st deposit!
New players only. Exclusive Welcome Bonus of up to $2,500
Hackers are using TCLBanker, a Windows trojan tied to tainted Microsoft installation packages, to target banking, fintech and cryptocurrency platforms.
Good to Know
Elastic Security Labs found the trojan and believes it has grown out of the older Maverick and Sorvepotel malware family. BleepingComputer reports that the campaign appears focused on Brazil, where the malware watches browser activity for visits to targeted apps and sites.
TCLBanker does not wait for a user to open a banking page by chance. It checks the browser address bar every second. Once someone opens one of the targeted platforms, the malware connects to a command-and-control server through a WebSocket session and gives operators remote access.
The main risk comes from how much control TCLBanker gives attackers. Operators can stream the screen live, take screenshots, log keystrokes, hijack clipboard data, run shell commands, browse files and control the mouse and keyboard remotely.
That makes the malware dangerous for online banking, crypto wallets and fintech accounts. A copied wallet address, typed password or one-time code can all become exposed during an active session.
TCLBanker also uses fake overlay screens to trick users. Those screens can imitate credential prompts, PIN pads, bank support waiting pages, Windows Update messages and progress bars. The goal stays the same each time: collect private account data while making the screen look normal.
Before it begins deeper activity, the trojan checks timezone, keyboard layout and locale on the infected device. Those checks help it decide whether the machine fits the campaign target.
The spread method adds another problem. TCLBanker includes worm modules that let it move automatically through WhatsApp and Outlook, giving attackers a path into new systems through apps people already trust.