Brazilian Banking Trojan “TCLBANKER” Targeting Users via WhatsApp and Outlook

There is a new Brazilian banking trojan, recently discovered in the wild called TCLBANKER. So this banking trojan is another sophisticated malware, monitors the browsers of the victims targeting 59 Brazilian banking, fintech, and cryptocurrency domains. Mode of attack is thru WhatsApp and Outlook

TCLBANKER uses environment-gated payload decryption; incorrect environments, such as sandboxes, silently fail to decrypt the payload.
A comprehensive watchdog subsystem continuously monitors for analysis tools, debuggers, instrumentation frameworks, and integrity violations throughout execution.
The banking trojan targets 59 Brazilian banking, fintech, and cryptocurrency domains, activating a WebSocket C2 session when a victim navigates to a monitored site.
A WPF-based full-screen overlay framework enables operator-driven social engineering, including credential harvesting, vishing wait screens, and fake Windows Update stalls, while hiding overlays from screen capture tools.
Worm modules propagate the malware: a WhatsApp bot and an Outlook email bot.
All C2 and distribution infrastructure is hosted on Cloudflare Workers under a single account, with developer artifacts (debug logging paths, test process names) and an incomplete phishing page, suggesting the campaign was identified in an early operational stage.

Quote

The loader component for TCLBANKER is packed with features, including anti-debugging features, anti-analysis checks, string encryption, system language checks, ETW patching, and a watchdog capability. While it has many features, it lacks depth and has references to older malware analysis tooling. It’s not entirely clear whether the developer used LLM-assisted workflows, but our team wouldn’t be surprised if that were the case.

Below is the list of targets, including cryptocurrency exchange.

Quote

## Group 0 — Banco do Brasil

| Domain | Institution |
|--------|-------------|
| `bancobrasil.com.br` | Banco do Brasil — main portal |
| `bb.com.br` | Banco do Brasil — short domain |

## Group 1 — Caixa Econômica Federal

| Domain | Institution |
|--------|-------------|
| `caixa.gov.br` | Caixa — main portal |
| `gerenciador.caixa.gov.br` | Caixa — business banking portal |
| `loginx.caixa.gov.br` | Caixa — authentication endpoint |

## Group 2 — Bradesco

| Domain | Institution |
|--------|-------------|
| `banco.bradesco` | Bradesco — main portal |
| `bradesco.com.br` | Bradesco — secondary domain |
| `cidadetran.bradesco` | Bradesco — digital banking |
| `ne12.bradesconetempresa.b.br` | Bradesco — corporate banking |

## Group 3 — Cryptocurrency Exchanges

| Domain | Institution |
|--------|-------------|
| `binance.com` | Binance — global crypto exchange |
| `mercadobitcoin.com.br` | Mercado Bitcoin — BR crypto exchange |
| `bitcointrade.com.br` | Bitcoin Trade — BR crypto exchange |
| `foxbit.com.br` | Foxbit — BR crypto exchange |
| `blockchain.com` | Blockchain.com — crypto wallet/exchange |

## Group 4 — Santander

| Domain | Institution |
|--------|-------------|
| `pf.santandernet.com.br` | Santander — personal banking |
| `pj.santandernetibe.com.br` | Santander — business banking |

## Group 5 — Itaú Unibanco

| Domain | Institution |
|--------|-------------|
| `itau.com.br` | Itaú Unibanco |

## Group 6 — Sicredi

| Domain | Institution |
|--------|-------------|
| `sicredi.com.br` | Sicredi |

## Group 7 — Banco do Nordeste

| Domain | Institution |
|--------|-------------|
| `nel.bnb.gov.br` | Banco do Nordeste do Brasil |

## Group 8 — Mercado Pago

| Domain | Institution |
|--------|-------------|
| `mercadopago.com.br` | Mercado Pago |

## Group 9 — Regional & Digital Banks

| Domain | Institution |
|--------|-------------|
| `original.com.br` | Banco Original |
| `banrisul.com.br` | Banrisul |
| `banhara.b.br` | Banhara |
| `bancoamazonia.com.br` | Banco da Amazônia |
| `daycoval.com.br` | Banco Daycoval |
| `mercantildobrasil.com.br` | Banco Mercantil do Brasil |
| `stone.com.br` | Stone Pagamentos |
| `bancopan.com.br` | Banco Pan |
| `unicred.com.br` | Unicred |
| `safra.com.br` | Banco Safra |
| `safraempresas.com.br` | Banco Safra — corporate |
| `ib.brde.com.br` | BRDE — development bank |
| `banese.com.br` | Banese |
| `bancobmg.com.br` | Banco BMG |
| `internetbanking.confesol.com.br` | Confesol — cooperative |
| `tribanco.com.br` | Tribanco |
| `credisisbank.com.br` | Credisis Bank |
| `credisan.com.br` | Credisan |
| `bancobs2.com.br` | Banco BS2 |
| `bancofibra.com.br` | Banco Fibra |
| `uniprimebr.com.br` | Uniprime Brasil |
| `uniprime.com.br` | Uniprime Central |
| `bancotopazio.com.br` | Banco Topázio |
| `btgmais.com` | BTG Pactual — digital |
| `citidirect.com` | Citi Direct (Citibank) |
| `banestes.b.br` | Banestes |
| `zeitbank.com.br` | Zeitbank |
| `sofisa.com.br` | Banco Sofisa |
| `sofisadireto.com.br` | Sofisa Direto — digital |
| `banestes.com.br` | Banestes — alternate |
| `wwws.uniprimedobrasil.com.br` | Uniprime do Brasil |
| `rendimento.com.br` | Banco Rendimento |
| `contaonline.viacredi.coop.br` | Viacredi — cooperative |
| `brbbanknet.brb.com.br` | BRB — Banco de Brasília |
| `artta.com.br` | Artta |
| `pagbank.com.br` | PagBank / PagSeguro |

## Group 10 — Sicoob System

| Domain | Institution |
|--------|-------------|
| `sicoobexecutivo.com.br` | Sicoob Executivo portal |
| `sicoobnet.com.br` | Sicoob Net banking |
| `sicoob.com.br` | Sicoob — main portal |

So this is just to give a heads-up for our Brazilian friends who are into crypto, you have been targeted again by this bad actors. You need to be very careful not to click on anything and verify that you are into a legitimate banking websites before downloading. Specially WhatsApp and Outlook.

And if you received emails from unknown source, then don't install or download it. You can read the details of this attacks below.

https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
https://gist.github.com/jiayuchann/e298effb68bd472c9e577a630d0ceb20

I'm not surprised by this news, not that I want them to attack Brazilians, but base on this report, Brazil Is The World's Second Most Vulnerable Country To Cyberattacks.

Although there could be some measures by the government or their banking sector to hardened their security, the attacks keeps going up and now this cyber actors have bundled banking apps + crypto wallets all in one.

So we can advise our Brazilian crypto enthusiast here in our community to stay vigilant. So if anything suspicious specially in your outlook, then don't click it. For WhatsApp, Enable "Strict Account Settings". If I'm not mistaken, they roll this up to counter this kind of attacks to the users of their platform so you need to have this activated.

Here in Brazil, we’ve had a really hard time with these scam attempts
No exaggeration, I get at least two or three calls every day from scammers trying to get me to answer the phone, and most of the time they say they’re trying to buy something with my credit card

These days, we use apps more often instead of logging into bank and fintech websites, which would be enough to avoid falling for the scam you posted
However, users who aren’t as tech-savvy can easily fall for these scams and install something without knowing exactly what it is, or get tricked

Quote from: rdluffy on May 11, 2026, 01:05:08 PM

Sure I believe this scam attempt is a global thing lately, because I experience the same too in a day I can get 7 calls from scammers and all attempt to get some security details from me, so not only in Brazil but a global phenomenon.

What helps me most this days to avoid answering those scammers calls is my call apps, trucaller thos app helps me identify scammers, spammers and everything that is unwanted, what I need to do is to increase my privacy settings to maximum and allow only those in my phone book to call me other calls get rejected.

Another reason for us to be updated and stayed informed of what is going on in crypto world and not only on this but the digital technology as a whole, there I've been series of attempt to scam people of their assets and this hackers make use of different routes to launch their evil deeds to unscrupulous users who will not be informed about what is needed and how they could prevent such from happening, an on our weakness is where the lie to take advantage.

Quote from: rdluffy on May 11, 2026, 01:05:08 PM

Although cyber attacks are a common reality in Brazil today, this phenomenon occurs in almost every country. The situation in Brazil does require a high level of vigilance. In my opinion, the best course of action is to always be skeptical of urgent phone calls and to instill the principle that banks never call to ask for passwords, verification codes, or to ask customers to install certain applications.
It's also important to understand that, while banking apps are more secure than websites, they are not immune if fraudsters manage to gain control of a physical device like a phone or trick their victims into granting access. Further measures to prevent falling into fraudulent traps by not granting accessibility permissions to unknown applications or applications from outside the official yoko to close loopholes used by malware to steal data.