π€ The Open-Palm Infection Report
A new banking trojan called TCLBanker is doing something genuinely impressive, in the way that a house fire is technically an impressive chemical reaction. Discovered by researchers at Elastic Security Labs, the malware arrives disguised as a legitimate Logitech AI Prompt Builder installer β because in 2026, even your peripheral manufacturer has an AI product, and apparently that’s now a viable attack vector.
The trojanized MSI installer loads malicious code via DLL side-loading within the legitimate Logitech application context, which means your security products see a perfectly normal Logitech process doing perfectly normal Logitech things. Except the things it’s doing include stealing your banking credentials, hijacking your WhatsApp, and sending phishing emails from your Outlook. Other than that, very normal.
TCLBanker currently targets 59 banking, fintech, and cryptocurrency platforms, with a geographical focus on Brazil β it checks your timezone, keyboard layout, and locale before activating, which is the malware equivalent of reading the room before committing a crime.
π The Two-Handed Technical Dissection
What makes TCLBanker genuinely alarming β beyond the baseline alarm of “a trojan is stealing bank credentials” β is the sophistication of its overlay system. Once installed, it monitors your browser’s address bar every single second using Windows UI Automation APIs. When you visit a targeted banking site, it:
- Establishes WebSocket sessions with command-and-control servers
- Captures live screen streams and screenshots
- Performs keylogging and clipboard hijacking
- Deploys WPF-based overlay systems β fake credential prompts, PIN keypads, phone number collection forms, and even fake Windows Update screens
- Enables remote mouse and keyboard control
- Kills Task Manager to hide its activity
The overlay system is particularly devious. It can display “cutout” overlays that mask portions of legitimate applications, essentially performing real-time cosmetic surgery on your banking interface so you never notice the extra fields asking for your mother’s maiden name, your PIN, and your existential certainty that online banking was a good idea.
πΏ The Gentle Awakening
But TCLBanker’s piΓ¨ce de rΓ©sistance is its self-propagation. This isn’t just a trojan β it’s a worm, and it spreads through two channels your grandmother definitely uses.
The WhatsApp module hijacks WhatsApp Web by harvesting authenticated IndexedDB data from Chromium browser profiles, launching hidden browser instances, commandeering your account, extracting your contacts, filtering for Brazilian phone numbers, and sending spam messages directing victims to TCLBanker distribution sites. Your contacts receive what appears to be a message from you. It is not from you. You are busy having your banking credentials harvested.
The Outlook module uses COM automation to launch Outlook, harvest contacts and sender addresses, and send phishing emails from your account. Your colleagues will receive a perfectly formatted email from your address containing a link to a trojanized Logitech installer. It’s the circle of malware life.
Elastic Security Labs notes that the malware contains code artifacts suggesting AI may have assisted in its development. We have arrived at the future everyone predicted: AI helping criminals write better malware, distributed through AI-branded software, targeting people who were probably using AI to manage their finances. The snake is eating its own tail, and the tail was AI-generated.
π The Gold-Leaf Reckoning
TCLBanker also features anti-analysis protections that would make a nation-state blush: environment-dependent payload decryption that fails in sandboxes, and persistent watchdog threads hunting for x64dbg, IDA, dnSpy, Frida, ProcessHacker, Ghidra, and de4dot. It knows the names of every tool a security researcher would use to study it. It’s malware with a bibliography.
Elastic characterizes TCLBanker as representative of evolved LATAM malware β “democratizing sophisticated features previously available only to advanced threat actors.” Translation: the techniques that used to require a government budget are now available to anyone with a trojanized installer and a dream.
The current focus on Brazil doesn’t mean the rest of the world should relax. Similar Latin American banking trojans have historically expanded their targeting, and TCLBanker’s architecture is built for scalability. Today it checks for Brazilian keyboards. Tomorrow it could check for yours. The day after that, it’s sending WhatsApp messages to your mother pretending to be you, which β let’s be honest β it would probably do a better job of anyway.
“The malware was hiding inside an AI product, spreading through messaging apps, and may have been written with AI assistance. If this were any more 2026, it would have its own podcast and a Series A.” β The Slap of Wisdom Malware Sommelier Division, currently inspecting every Logitech installer with the suspicion usually reserved for gas station sushi