May 10, 2026 · 9 min read
A Brazilian Banking Trojan Just Used One Hijacked Outlook Inbox to Spam 3,000 Contacts at a Time—And It Spreads Through WhatsApp Web Too
Elastic Security Labs published research on TCLBANKER, a Brazilian banking trojan whose worm modules turn an infected Windows machine into a launchpad for messaging attacks. The Outlook agent ships the trojanized installer to up to 3,000 of the victim's contacts, while a WhatsApp Web hijacker pushes the same payload into messaging threads—all while the loader targets 59 banking, fintech, and crypto platforms.
What Happened
On May 8, 2026, Elastic Security Labs published an analysis of a previously undocumented Brazilian banking trojan it tracks as REF3076 and that the broader research community has named TCLBANKER. The malware is assessed to be a major update of the older Maverick family, and Trend Micro attributes the cluster to the threat actor group Water Saci.
The novelty in TCLBANKER is not the banking overlays—Brazilian crimeware has been doing those for fifteen years. The novelty is the worm. The infection chain ships a loader that drops two modules side by side: a banking trojan that targets 59 banking, fintech, and cryptocurrency platforms, and a propagation engine that uses a victim's authenticated Outlook and WhatsApp Web sessions to push the malicious installer to thousands of new targets without the operator lifting a finger.
Elastic flagged the campaign as still in early operational stages. That is the worst time to find one. The wave that follows is what determines how many bank logins end up in the operators' hands.
How the Outlook Worm Sends Mail You Did Not Send
The Outlook component is what makes this campaign matter for inbox security. Once TCLBANKER lands on a Windows machine that has the Outlook desktop client installed, the worm module performs the following sequence:
- It enumerates the local Outlook profile and harvests the address book and recent senders.
- It selects up to 3,000 recipients from those contacts.
- It composes a phishing email from the victim's own account, attaches a ZIP file containing the trojanized MSI installer, and sends it through the active Outlook session.
- The email leaves the corporate or personal mail server clean—signed by the real domain, passing SPF, DKIM, and DMARC—because it actually came from the victim.
That last step is the one defenders cannot easily filter. The email is not spoofed. It is not relayed through a residential proxy. It is the genuine outbound mail of a real, authenticated user inside a real organization. Every authentication header lines up. The only signal that the message is malicious is the attachment itself, and the attachment is a signed Logitech installer carrying a side loaded DLL.
For a recipient, the message arrives from a person they have actually corresponded with. The subject line and body are pulled from a templating system the operator can update, so the lure tracks whatever the campaign feels is in season. The download looks like a familiar Logitech utility. The natural skepticism a user might have toward a stranger's attachment never engages.
The WhatsApp Web Side of the Worm
The WhatsApp module borrows the SORVEPOTEL technique from Maverick, the trojan family that TCLBANKER updates. It hijacks the victim's authenticated WhatsApp Web session and uses the open source WPPConnect automation library to send messages to the contact list. WPPConnect normally exists for legitimate chatbot development; here it lets the malware drive WhatsApp's web interface as if a user were typing.
Two filters run before each send: the worm skips group chats, and it skips contacts with phone numbers outside Brazil. Both choices are operationally sensible for a campaign focused on Brazilian banking customers. Group spam draws moderation attention. Non Brazilian recipients are useless to a payload that refuses to detonate outside a Portuguese language environment.
The combined effect of the two worm modules is uneven amplification. A single corporate workstation is suddenly capable of reaching thousands of inboxes and hundreds of WhatsApp chats with messages that look like they came from a trusted contact. Gateway filtering catches very little of it, because the headers and the channels are all legitimate.
The Logitech Disguise and Anti Analysis Layer
The MSI installer abuses a real, signed Logitech program called Logi AI Prompt Builder. The legitimate executable has DLL search order behavior that lets the malware drop a malicious DLL named screen_retriever_plugin.dll next to the program. Logitech's signed binary loads it as if it were a normal Flutter plugin and runs the attacker's code with the trust of a Logitech process.
DLL side loading against signed software is not new, but it remains effective because the chain of trust most endpoint products inspect is the chain on the parent EXE. Once LogiAiPromptBuilder.exe is whitelisted, anything it loads inherits a benevolent posture from the parent's signature. Behavioral detections can still flag the next steps, but the initial execution slips by static rules.
The loader also runs a watchdog that checks for debuggers, sandboxes, and disassembly tools. If any of those are present, the payload does not decrypt. A second gate checks the system language. The trojan only proceeds when the operating system is set to Brazilian Portuguese, which is why analysts running an English Windows VM can struggle to trigger the full chain. The actual command and control traffic runs over WebSocket and supports screenshots, keylogging, and the credential harvesting overlays that are standard for a banking trojan.
Why Inbox Workers Should Care Outside Brazil
TCLBANKER's payload only fires on Brazilian Portuguese systems, but the worm component does not care about geography on the way out. An infected Brazilian employee at a multinational firm whose Outlook profile contains contacts in the United States, Europe, and the rest of Latin America will still send the trojanized installer to all of them. The message lands in inboxes everywhere. Recipients outside Brazil will not be successfully infected by the banking module, but their machines may still execute the loader, run the anti analysis check, and silently exit—leaving an unanswered question in the EDR log about why a signed Logitech installer started running and stopped.
More importantly, a worm pattern like this normalizes a delivery technique that other operators copy. The Outlook agent that automates 3,000 messages per host is the same primitive that a non Brazilian crimeware family will license, fork, or rebuild within months. Every previous worm of this shape—from APT28's Outlook token theft via compromised home routers to the Amazon SES key abuse that turned victims' own domains into spam relays—has rapidly diffused beyond its original operator.
What the 59 Targeted Platforms Tell You About the Operator
Elastic did not publish the full list of the 59 banking, fintech, and cryptocurrency platforms TCLBANKER targets, but the count itself is informative. A sloppy banker stick targets a handful of pages. A mature banking trojan ships overlays for dozens of brands so a single infection in a country like Brazil—where roughly twenty institutions hold most of the retail market—reliably finds a usable login no matter which bank the victim uses.
Including cryptocurrency platforms in the same target list is also a 2026 signature. Crypto credentials cash out faster and more anonymously than traditional bank credentials, and they raise the average yield per infection enough to justify the engineering effort that went into the worm. Operators no longer build banking trojans without a crypto module attached.
Indicators and Defensive Steps
The defensive picture for security teams operating outside Brazil is mostly about the worm, not the banking module:
- Inspect outbound mail volume from individual mailboxes. An Outlook profile that suddenly emits 3,000 messages with attachments to its address book is a strong anomaly that DLP and gateway products can catch even without a malware signature, provided the rule exists.
- Treat ZIP'd MSI installers from internal senders as suspicious. Even if the sender is a real coworker, an unsolicited attachment of that shape is rarely benign. Auto strip ZIP attachments at the gateway when they contain MSIs.
- Monitor for
LogiAiPromptBuilder.exerunning outside an interactive Logitech install context. The legitimate program is not common on enterprise endpoints; sudden process events for it that are not preceded by a user driven Logitech install are worth investigating. - Watch WhatsApp Web sessions on managed devices. Browsers driving WPPConnect look like automated traffic. If you allow WhatsApp Web at all on managed endpoints, network telemetry can flag the burst behavior that comes from a worm using it.
- Pull the Elastic IOCs. The Elastic write up ships hashes, domains, and YARA rules. Apply them in EDR and at the email gateway.
- For end users in any region: a coworker emailing you a ZIP file with a Logitech installer inside is not a normal interaction, no matter how much the rest of the message looks like them. Confirm out of band before opening.
The Pattern
TCLBANKER is a useful data point about where banking malware is heading. The financial overlays are unchanged from a decade ago—the operators still expect a Brazilian Portuguese system, still hook the same Win32 APIs, still steal the same credentials. The infrastructure work has all moved up the stack, into how the malware reaches the next victim. Authenticated Outlook sessions and authenticated WhatsApp Web sessions are not exotic capabilities. They are the everyday tools of every desk worker, and that is precisely why a worm built on top of them clears every traditional defense aimed at attachments and spoofed senders.
The lesson that generalizes: a malicious email sent through a real account is not a phishing problem in the classic sense. It is a host compromise problem masquerading as an inbox problem. The fix is on the endpoint and in the outbound mail telemetry, not in the spam filter.