Ddos 
Code related to filtering potential spam victim emails | Image: Elastic Security Labs
Elastic Security Labs has uncovered a highly sophisticated Brazilian banking trojan dubbed TCLBANKER, tracked under the campaign REF3076. Assessed as a major evolution of the MAVERICK/SORVEPOTEL malware family, this trojan is actively targeting 59 distinct banking, fintech, and cryptocurrency domains.
This is not a standard credential scraper. TCLBANKER represents a critical threat due to its evasive architecture, operator-driven social engineering, and aggressive self-propagation mechanisms.
TCLBANKER orchestrates a complete, real-time deception protocol. Once a victim navigates to a monitored financial site, the malware activates a WebSocket command-and-control (C2) session.
From there, operators can deploy hyper-realistic, WPF-based full-screen overlays to completely manipulate the victim’s environment. These overlays are deployed for specific fraudulent flows:
- Credential Harvesting: Dynamically prompted input fields for pins and passwords.
- Vishing Wait Screens: Screens informing the user that support is “getting in touch,” stalling them while an accomplice actively calls their phone.
- Fake System Stalls: Highly convincing, randomized “Windows Update” screens designed to paralyze the user while malicious activity occurs in the background.
Alarmingly, the malware uses the SetWindowDisplayAffinity API to render these overlays invisible to screen capture tools. This allows the attackers to see the real desktop underneath while the victim is blinded by the fake interface.
Traditional email gateways and reputation-based defenses are struggling to contain TCLBANKER because the malware turns the victim’s own trusted networks against them. The threat actors have embedded secondary worm modules specifically designed for rapid self-propagation.
- WhatsApp Hijacking: The malware scans the host for Chromium-based browsers, clones the user’s profile data, and silently hijacks their authenticated WhatsApp Web session. It then blasts malicious payloads to the victim’s contacts.
- Outlook Automation: An email bot component utilizes COM automation to commandeer the victim’s Microsoft Outlook application. It scrapes contact lists and sends phishing emails directly from the victim’s legitimate, authenticated account.
As the researchers warn, “The campaign inherits the trust and deliverability of legitimate communications by hijacking victims’ WhatsApp sessions and Outlook accounts.”
The technical sophistication guarding TCLBANKER is severe. The loader features environment-gated payload decryption; it calculates a unique environment hash based on system disk information, local language settings, and strict anti-debugging checks. If the malware detects it is running in an automated sandbox or analysis environment, it fails silently and refuses to decrypt its payload.
Furthermore, a dedicated watchdog subsystem continuously monitors the host system for analysis tools, instrumentation frameworks, and integrity violations.
“TCLBANKER reflects a broader maturation happening across the Brazilian banking trojan ecosystem,” the report notes. “Techniques that were once the hallmark of more sophisticated threat actors… are now being packaged into commodity crimeware.”.
Despite its advanced evasion and propagation capabilities, infrastructure artifactsβsuch as an incomplete phishing page and exposed debug logging pathsβindicate that the REF3076 operators are just getting started.
As Elastic Security Labs concludes: “This is a campaign still being built out, not wound down.” Network defenders must recognize that the barrier to entry for highly evasive, self-spreading financial malware has permanently dropped, requiring an immediate shift toward behavioral monitoring and strict endpoint control.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
