Brazilian Banking Trojan TCLBANKER Strikes 59 Financial Platforms – Spreads via WhatsApp and Email Worms

Breaking: TCLBANKER Trojan Targets 59 Banking and Crypto Platforms

Security researchers at Elastic Security Labs have uncovered a previously undocumented Brazilian banking trojan, dubbed TCLBANKER, that is actively targeting 59 different banking, fintech, and cryptocurrency platforms. The malware spreads through self-replicating worms on WhatsApp and Microsoft Outlook, posing an urgent threat to financial institutions and their customers.

Elastic is tracking the campaign under the identifier REF3076. The TCLBANKER family is assessed to be a major update of an older threat known as Maverick, which relied on a worm called SORVEPOTEL to propagate via messaging and email channels.

Quote from Elastic Security Labs

“TCLBANKER represents a significant evolution in modular banking malware,” said an Elastic Security Labs analyst. “Its ability to compromise nearly 60 financial platforms while spreading through trusted communication tools makes it one of the most urgent threats we are tracking in Latin America.”

Background: Evolution of the Threat

The TCLBANKER trojan originates from Brazil, a region known for sophisticated banking malware families such as Grandoreiro and Mekotio. Unlike earlier variants, TCLBANKER incorporates a worm component that can automatically replicate and send malicious links through WhatsApp and Outlook, increasing its reach exponentially.

Elastic Security Labs notes that the malware uses a modular architecture, allowing it to update its target list and evasion techniques on the fly. The worm, SORVEPOTEL, was first seen in connection with the Maverick malware in 2023 and has now been upgraded in TCLBANKER to bypass modern antivirus and email filters.

Distribution Vectors

Attackers initiate infections by sending phishing messages via WhatsApp containing malicious links or attachments. Once a device is compromised, the worm scans the victim’s contact list and forwards the malware to additional targets using Outlook email threads, mimicking legitimate conversation replies.

This double-pronged approach exploits both personal messaging and corporate email systems, making the trojan particularly dangerous for financial sector employees who regularly use both platforms.

What This Means for Financial Users

For institutions and individual users alike, TCLBANKER’s ability to target 59 distinct platforms—including major banks, fintech apps, and cryptocurrency exchanges—means that no single security posture is sufficient. Users should immediately enable two-factor authentication and avoid clicking on unsolicited links in messages or emails, even if they appear to come from known contacts.

Elastic Security Labs recommends that enterprises deploy advanced email security gateways and behavioral detection for messaging apps. “The worm-like propagation makes TCLBANKER a potential vector for lateral movement within corporate networks,” the analyst added. “Isolating compromised devices and re-authenticating all sessions is critical.”

Immediate Steps to Take

• Verify all messages that request login credentials or financial transactions—even from trusted senders.
• Update antivirus definitions and apply patches for Outlook and WhatsApp clients.
• Monitor account activity for unauthorized access, especially on the 59 targeted platforms.

Researchers say that TCLBANKER is still evolving, and further updates to its target list are expected. The threat underscores the growing sophistication of Latin American banking trojans and their global reach via social engineering.

Conclusion

As TCLBANKER spreads rapidly through WhatsApp and Outlook worms, the financial industry must act swiftly. The malware’s modular design and expanded target set make it a clear and present danger to digital finance.

Elastic Security Labs continues to monitor REF3076 and will release indicators of compromise as new variants emerge. Users are urged to remain vigilant and report any suspicious messages immediately.