(AsiaGameHub) – Hackers are deploying TCLBanker, a Windows trojan linked to compromised Microsoft installation packages, to infiltrate banking, fintech, and cryptocurrency platforms.
Key Insights
- TCLBanker tracks access to 59 specific financial services.
- The malware can propagate via WhatsApp and Microsoft Outlook.
- Fake overlay interfaces capture login credentials, PINs, phone numbers, and other sensitive information.
Discovered by Elastic Security Labs, the trojan is believed to have evolved from the earlier Maverick and Sorvepotel malware families. According to BleepingComputer, this campaign primarily targets users in Brazil, where the malware monitors browser activity for interactions with selected financial applications and websites.
Unlike passive threats, TCLBanker actively scans the browser address bar every second—rather than waiting for accidental visits—and immediately initiates a WebSocket connection to a command-and-control server upon detecting a targeted platform. This grants attackers remote system access as soon as a user logs into one of the compromised services.
Fake Interfaces and Full System Control Enable Sophisticated Attacks
The real danger lies in the extensive control TCLBanker provides to threat actors. Operators can remotely view live screen feeds, take snapshots, record keystrokes, intercept clipboard data, execute shell commands, explore file systems, and manipulate input devices—including keyboard and mouse controls.
This level of access makes the malware especially hazardous for online banking, digital wallets, and fintech applications. During an active session, attackers can steal copied wallet addresses, entered passwords, or one-time authentication codes.
In addition to surveillance capabilities, TCLBanker employs deceptive overlay windows designed to mimic legitimate prompts such as login forms, PIN entry screens, bank support wait pages, Windows Update notifications, and loading progress bars. Despite varying appearances, the underlying objective remains consistent: extract confidential account details while maintaining the illusion of normal operation.
Prior to launching its full attack sequence, the trojan verifies system-specific attributes including timezone settings, keyboard layout, and regional locale. These checks help determine whether the infected device aligns with the intended geographic focus of the campaign.
A further complication stems from its propagation mechanism. TCLBanker contains built-in worm functionality that allows it to autonomously spread through trusted communication channels like WhatsApp and Outlook, enabling attackers to infiltrate new systems via platforms already familiar to users.
This article is provided by a third-party. AsiaGameHub (https://asiagamehub.com/) makes no warranties regarding its content.
AsiaGameHub delivers targeted distribution for iGaming, Casino, and eSports, connecting 3,000+ premium Asian media outlets and 80,000+ specialized influencers across ASEAN.