Imagine one of your employees gets infected by malware. Now imagine that malware immediately starts impersonating them using their actual WhatsApp account and their actual Microsoft Outlook inbox to spread itself to everyone they know.

A new banking trojan documented by Elastic Security Labs in May 2026 does exactly that. Called TCLBANKER, it currently targets 59 Brazilian banking, fintech, and cryptocurrency platforms—and uses techniques that travel well as malware evolves. The self-propagating mechanisms, credential overlay system, and DLL sideloading approach represent a playbook that US financial institutions are already paying attention to.

What TCLBANKER Is and How It Gets In

Elastic Security Labs designated this activity cluster REF3076. The malware is a substantial upgrade of the MAVERICK/SORVEPOTEL family of Brazilian banking trojans, introducing two capabilities that separate it from most banking threats: self-propagation through trusted communication channels and overlay-based credential harvesting designed to defeat standard screen monitoring.

The infection starts deceptively. The malware arrives inside a ZIP file containing what looks like a legitimate Logitech installer the Logi AI Prompt Builder. Through DLL sideloading, a malicious library named `screen_retriever_plugin.dll` masquerading as a Flutter plugin slips in alongside the legitimate software, loading the payload without triggering the signature-based antivirus detections most endpoints rely on. A security scan at this stage shows nothing unusual.

Once installed, TCLBANKER deploys two modules.

The first is the banking trojan. When a victim navigates to a targeted financial platform, TCLBANKER overlays their browser with a convincing full-screen replica designed to harvest credentials. It also displays fake Windows Update screens, progress bars, and loading spinners to occupy the user while the fraud happens. One specific design detail: the overlays are blocked from appearing in standard screen capture tools. A screenshot of an infected machine looks completely clean.

The second module is the worm. It searches Chromium browser profiles for authenticated WhatsApp Web sessions, then launches a hidden Chromium instance using Selenium WebDriver that resumes the victim's session without requiring QR code re-authentication. It harvests contacts and sends malicious messages from the victim's actual account automatically. Simultaneously, it hijacks Microsoft Outlook to send infected emails from the victim's genuine address.

Recipients see a message from someone they know. They click.

59 Brazilian Platforms in the Crosshairs

BleepingComputer's analysis confirms TCLBANKER is configured to target 59 Brazilian banking, fintech, and cryptocurrency platforms. The malware checks for Brazilian timezone settings, keyboard layouts, and locale data (specifically LANGID 0x0416, the pt-BR identifier) before activating its main payload, meaning infections outside Brazil currently stall at the geofencing check.

That caveat matters for US institutions. It also has limits. LATAM banking trojans have a documented history of expanding their targeting scope as the malware matures. The technical infrastructure, the self-spreading mechanism, the overlay framework, the DLL sideloading approach, is entirely portable. Treating TCLBANKER as a permanently Brazilian problem would be a mistake.

Why This Matters for Financial Services

Most banking malware still requires a human decision point. Phishing emails need to be opened. Attachments need to be downloaded. TCLBANKER reduces the per-victim effort significantly: one infection seeds many more, through channels the recipients already trust.

This matters for how financial institutions think about their defenses. Employee security awareness training is valuable and you should keep doing it. But training assumes employees need to recognize malicious content before engaging with it. When a message arrives from a trusted colleague's actual WhatsApp or actual Outlook inbox, carrying real metadata and a familiar name, the training signal is much harder to apply. The message looks real because it came from a real account.

Training alone won't stop banking malware that spreads via WhatsApp. The technical controls have to carry the load.

What This Means Practically

Endpoint detection and response (EDR) tools that flag anomalous process behavior—like a Chromium instance launching in hidden mode and querying WhatsApp IndexedDB data—can identify TCLBANKER activity before it propagates. Standard signature-based antivirus that checks against known malware patterns will likely miss it; DLL sideloading against a legitimate, signed application is specifically designed to avoid those detections.

Email security that monitors for unusual outbound sending patterns—a sudden spike in messages from an account that normally sends a handful per day can catch the Outlook propagation mechanism early. Elastic's full technical report at the URL cited above includes detailed indicators of compromise your security team can use directly.

Network monitoring that identifies unexpected Chromium processes making external connections adds another layer.

None of these are exotic. They're standard components of a layered security posture. The question is whether they're in place before a TCLBANKER-style infection reaches your institution, or whether you're building those controls in response to an incident.

A Thought Worth Sitting With

The most effective thing TCLBANKER does isn't the credential harvesting. It's the trust exploitation. The malware converts the professional relationships your employees have built—with colleagues, clients, counterparties into an attack vector. The message travels because it appears to come from someone the recipient trusts.

Banks are built on trust. Any threat sophisticated enough to weaponize that trust, turning your own employees' relationships against you, deserves serious attention, even when its current epicenter is thousands of miles away.

Get Your Security Stack Assessed

At Mytec, we help financial institutions evaluate their endpoint and network security posture, identify detection gaps, and build the layered controls that catch threats like TCLBANKER before they spread through an organization. If you're unsure whether your current security tools would flag this kind of attack, that's worth finding out before the question becomes urgent.

Contact us for a complimentary assessment. We'll give you an honest picture of where you stand and what it takes to close the gap.