Brazilian Banking Trojan “TCLBANKER” Targeting Users via WhatsApp and Outlook

[SatsPH]

There is a new Brazilian banking trojan, recently discovered in the wild called TCLBANKER. So this banking trojan is another sophisticated malware, monitors the browsers of the victims targeting 59 Brazilian banking, fintech, and cryptocurrency domains. Mode of attack is thru WhatsApp and Outlook

• TCLBANKER uses environment-gated payload decryption; incorrect environments, such as sandboxes, silently fail to decrypt the payload.
• A comprehensive watchdog subsystem continuously monitors for analysis tools, debuggers, instrumentation frameworks, and integrity violations throughout execution.
• The banking trojan targets 59 Brazilian banking, fintech, and cryptocurrency domains, activating a WebSocket C2 session when a victim navigates to a monitored site.
• A WPF-based full-screen overlay framework enables operator-driven social engineering, including credential harvesting, vishing wait screens, and fake Windows Update stalls, while hiding overlays from screen capture tools.
• Worm modules propagate the malware: a WhatsApp bot and an Outlook email bot.
• All C2 and distribution infrastructure is hosted on Cloudflare Workers under a single account, with developer artifacts (debug logging paths, test process names) and an incomplete phishing page, suggesting the campaign was identified in an early operational stage.

The loader component for TCLBANKER is packed with features, including anti-debugging features, anti-analysis checks, string encryption, system language checks, ETW patching, and a watchdog capability. While it has many features, it lacks depth and has references to older malware analysis tooling. It’s not entirely clear whether the developer used LLM-assisted workflows, but our team wouldn’t be surprised if that were the case.

Below is the list of targets, including cryptocurrency exchange.

## Group 0 — Banco do Brasil
 
| Domain | Institution |
|--------|-------------|
| `bancobrasil.com.br` | Banco do Brasil — main portal |
| `bb.com.br` | Banco do Brasil — short domain |
 
## Group 1 — Caixa Econômica Federal
 
| Domain | Institution |
|--------|-------------|
| `caixa.gov.br` | Caixa — main portal |
| `gerenciador.caixa.gov.br` | Caixa — business banking portal |
| `loginx.caixa.gov.br` | Caixa — authentication endpoint |
 
## Group 2 — Bradesco
 
| Domain | Institution |
|--------|-------------|
| `banco.bradesco` | Bradesco — main portal |
| `bradesco.com.br` | Bradesco — secondary domain |
| `cidadetran.bradesco` | Bradesco — digital banking |
| `ne12.bradesconetempresa.b.br` | Bradesco — corporate banking |
 
## Group 3 — Cryptocurrency Exchanges
 
| Domain | Institution |
|--------|-------------|
| `binance.com` | Binance — global crypto exchange |
| `mercadobitcoin.com.br` | Mercado Bitcoin — BR crypto exchange |
| `bitcointrade.com.br` | Bitcoin Trade — BR crypto exchange |
| `foxbit.com.br` | Foxbit — BR crypto exchange |
| `blockchain.com` | Blockchain.com — crypto wallet/exchange |
 
## Group 4 — Santander
 
| Domain | Institution |
|--------|-------------|
| `pf.santandernet.com.br` | Santander — personal banking |
| `pj.santandernetibe.com.br` | Santander — business banking |
 
## Group 5 — Itaú Unibanco
 
| Domain | Institution |
|--------|-------------|
| `itau.com.br` | Itaú Unibanco |
 
## Group 6 — Sicredi
 
| Domain | Institution |
|--------|-------------|
| `sicredi.com.br` | Sicredi |
 
## Group 7 — Banco do Nordeste
 
| Domain | Institution |
|--------|-------------|
| `nel.bnb.gov.br` | Banco do Nordeste do Brasil |
 
## Group 8 — Mercado Pago
 
| Domain | Institution |
|--------|-------------|
| `mercadopago.com.br` | Mercado Pago |
 
## Group 9 — Regional & Digital Banks
 
| Domain | Institution |
|--------|-------------|
| `original.com.br` | Banco Original |
| `banrisul.com.br` | Banrisul |
| `banhara.b.br` | Banhara |
| `bancoamazonia.com.br` | Banco da Amazônia |
| `daycoval.com.br` | Banco Daycoval |
| `mercantildobrasil.com.br` | Banco Mercantil do Brasil |
| `stone.com.br` | Stone Pagamentos |
| `bancopan.com.br` | Banco Pan |
| `unicred.com.br` | Unicred |
| `safra.com.br` | Banco Safra |
| `safraempresas.com.br` | Banco Safra — corporate |
| `ib.brde.com.br` | BRDE — development bank |
| `banese.com.br` | Banese |
| `bancobmg.com.br` | Banco BMG |
| `internetbanking.confesol.com.br` | Confesol — cooperative |
| `tribanco.com.br` | Tribanco |
| `credisisbank.com.br` | Credisis Bank |
| `credisan.com.br` | Credisan |
| `bancobs2.com.br` | Banco BS2 |
| `bancofibra.com.br` | Banco Fibra |
| `uniprimebr.com.br` | Uniprime Brasil |
| `uniprime.com.br` | Uniprime Central |
| `bancotopazio.com.br` | Banco Topázio |
| `btgmais.com` | BTG Pactual — digital |
| `citidirect.com` | Citi Direct (Citibank) |
| `banestes.b.br` | Banestes |
| `zeitbank.com.br` | Zeitbank |
| `sofisa.com.br` | Banco Sofisa |
| `sofisadireto.com.br` | Sofisa Direto — digital |
| `banestes.com.br` | Banestes — alternate |
| `wwws.uniprimedobrasil.com.br` | Uniprime do Brasil |
| `rendimento.com.br` | Banco Rendimento |
| `contaonline.viacredi.coop.br` | Viacredi — cooperative |
| `brbbanknet.brb.com.br` | BRB — Banco de Brasília |
| `artta.com.br` | Artta |
| `pagbank.com.br` | PagBank / PagSeguro |
 
## Group 10 — Sicoob System
 
| Domain | Institution |
|--------|-------------|
| `sicoobexecutivo.com.br` | Sicoob Executivo portal |
| `sicoobnet.com.br` | Sicoob Net banking |
| `sicoob.com.br` | Sicoob — main portal |

So this is just to give a heads-up for our Brazilian friends who are into crypto, you have been targeted again by this bad actors. You need to be very careful not to click on anything and verify that you are into a legitimate banking websites before downloading. Specially WhatsApp and Outlook.

And if you received emails from unknown source, then don't install or download it. You can read the details of this attacks below.
https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
https://gist.github.com/jiayuchann/e298effb68bd472c9e577a630d0ceb20

[Dave1]

I'm not surprised by this news, not that I want them to attack Brazilians, but base on this report, Brazil Is The World's Second Most Vulnerable Country To Cyberattacks.

Although there could be some measures by the government or their banking sector to hardened their security, the attacks keeps going up and now this cyber actors have bundled banking apps + crypto wallets all in one.

So we can advise our Brazilian crypto enthusiast here in our community to stay vigilant. So if anything suspicious specially in your outlook, then don't click it. For WhatsApp, Enable "Strict Account Settings". If I'm not mistaken, they roll this up to counter this kind of attacks to the users of their platform so you need to have this activated.

[rdluffy]

Here in Brazil, we’ve had a really hard time with these scam attempts
No exaggeration, I get at least two or three calls every day from scammers trying to get me to answer the phone, and most of the time they say they’re trying to buy something with my credit card

These days, we use apps more often instead of logging into bank and fintech websites, which would be enough to avoid falling for the scam you posted
However, users who aren’t as tech-savvy can easily fall for these scams and install something without knowing exactly what it is, or get tricked

[Wiwo]

Here in Brazil, we’ve had a really hard time with these scam attempts
No exaggeration, I get at least two or three calls every day from scammers trying to get me to answer the phone, and most of the time they say they’re trying to buy something with my credit card

These days, we use apps more often instead of logging into bank and fintech websites, which would be enough to avoid falling for the scam you posted
However, users who aren’t as tech-savvy can easily fall for these scams and install something without knowing exactly what it is, or get tricked

Sure I believe this scam attempt is a global thing lately,  because I experience the same too in a day I can get 7 calls from scammers and all attempt to get some security details from me, so not only in Brazil but a global phenomenon.

What helps me most this days to avoid answering those scammers calls is my call apps, trucaller thos app helps me identify scammers,  spammers and everything that is unwanted, what I need to do is to increase my privacy settings to maximum and allow only those in my phone book to call me other calls get rejected.

[Aanuoluwatofunmi]

Another reason for us to be updated and stayed informed of what is going on in crypto world and not only on this but the digital technology as a whole, there I've been series of attempt to scam people of their assets and this hackers make use of different routes to launch their evil deeds to unscrupulous users who will not be informed about what is needed and how they could prevent such from happening, an on our weakness is where the lie to take advantage.

[Razmirraz]

Here in Brazil, we’ve had a really hard time with these scam attempts
No exaggeration, I get at least two or three calls every day from scammers trying to get me to answer the phone, and most of the time they say they’re trying to buy something with my credit card

These days, we use apps more often instead of logging into bank and fintech websites, which would be enough to avoid falling for the scam you posted
However, users who aren’t as tech-savvy can easily fall for these scams and install something without knowing exactly what it is, or get tricked

Although cyber attacks are a common reality in Brazil today, this phenomenon occurs in almost every country. The situation in Brazil does require a high level of vigilance. In my opinion, the best course of action is to always be skeptical of urgent phone calls and to instill the principle that banks never call to ask for passwords, verification codes, or to ask customers to install certain applications.
It's also important to understand that, while banking apps are more secure than websites, they are not immune if fraudsters manage to gain control of a physical device like a phone or trick their victims into granting access. Further measures to prevent falling into fraudulent traps by not granting accessibility permissions to unknown applications or applications from outside the official yoko to close loopholes used by malware to steal data.

[joniboini]

In my opinion, the best course of action is to always be skeptical of urgent phone calls and to instill the principle that banks never call to ask for passwords, verification codes, or to ask customers to install certain applications.

I can't remember when was the last time I received a phone call from unknown numbers. Unless I have prior appointments or reports that needs to be solved soon (like my home electricity being down for half a day or so), I usually just ignore most of them. If someone wants to contact me urgently, usually they'll send me a message through apps or somewhere else. Making phone calls needs prior notification now (unless you're dealing with CS or something else that requires you to handle phone calls regularly).

[Davidvictorson]

In my opinion, the best course of action is to always be skeptical of urgent phone calls and to instill the principle that banks never call to ask for passwords, verification codes, or to ask customers to install certain applications.

Banks never call and they keep saying this however, one time I did receive a call from my bank about my account. I was very distrustful of the call but it turned out they were right after I verified. I had a pending issue with my account. But this is a once in a blue moon occurrence.
But now, they don’t need to make calls anymore, WhatsApp is now allowing a lot of features that in the future would make it very easy for hackers to infect and attack the individual’s device.

[joniboini]

But now, they don’t need to make calls anymore, WhatsApp is now allowing a lot of features that in the future would make it very easy for hackers to infect and attack the individual’s device.

Yeah. At least that's how it is here. Most of them move their customer service to a platform that can offer business account or something similar. It feels a bit bad because it means I have to use apps like WhatsApp though. Unless the user request a direct phone call, usually they don't call them through their phone. Only their marketing do that I guess, since I still receive some marketing calls here and there. I suspect their CS and marketing department have different rules. Anyway, even if they still call you they won't ask for password or whatever.

[YellowSwap]

This is not 2018 anymore,  anything that connects to the internet is off key for crypto wallet, Trojan and viruses are very popular with windows OS and computers in general, can you people just do without them?

It's 2026, where android chips have their own vulnerabilities and computer viruses are getting out of numberevery time, this is where you people still choose to run your crypto wallets on?

I won't even look twice if anyone lose their coins on a computer or smartphone, it's your choice so deal with it, in 2026 things have changed, crypto have become the last ultimate target to getting rich, you are stupid if you are storing coins on computers this days.

[joniboini]

I wouldn't go that far. Most problems comes from people not knowing how to handle the risk and doing something stupid link clicking random links or installing some random apps from the internet. While supply chain attacks exist, it's not like your app will be automatically get hacked if you're online. Disabling auto-update or something similar can prevent that too. Some people also make terrible mistake of storing their keys on cloud storage to this day, so like, the key problem isn't about using computer or phone to do crypto transactions or not imo.

[sunsilk]

I've got also those random calls and messages from the messaging apps that I have. My number surely is compromised and that's why I don't use it anymore.

It all starts with a simple hi/hello and then it's on us as we reply on them. By the time we reply on these scammers and adhere to their calls/texts, they understood their assignment.

And that means that it's showtime for them and the prey has fallen to their trap. Although the way to avoid these is simple, when the victim gets emotional, the intelligence decreases.