Deep Dive: How the TCLBANKER Trojan Exploits Signed Logitech Binaries for Financial Theft
Threat actors have leveled up their evasion tactics by weaponizing a legitimate, digitally signed Logitech installer to deploy a sophisticated new Brazilian banking trojan dubbed TCLBANKER. This isn’t just a simple credential stealer; it is a highly orchestrated piece of malware designed to hijack financial sessions, conduct live social engineering, and self-propagate via common communication platforms.
The campaign specifically targets the Brazilian financial sector, maintaining a “silent” presence until a victim navigates to one of 59 monitored banking, fintech, or cryptocurrency domains. At that point, the malware transitions from a dormant state to an active, high-control session hijacking tool.
According to research from Elastic Security Labs, TCLBANKER represents a significant evolutionary leap from the older MAVERICK and SORVEPOTEL malware families, currently tracked under the campaign identifier REF3076.
The Infection Vector: DLL Sideloading via Logi AI Prompt Builder
The initial compromise begins with a deceptive ZIP archive containing a malicious MSI installer. The clever part of this attack is the use of DLL sideloading. The installer drops a legitimate version of the Logi AI Prompt Builder application, but it also includes a rogue DLL named screen_retriever_plugin.dll.
While the filename mimics a standard Flutter plug-in, it actually serves as the primary loader for the trojan. Because the parent process (LogiAiPromptBuilder.exe) is a valid, signed Logitech binary, it provides a layer of “reputational camouflage,” allowing the malware to slip past many traditional EDR (Endpoint Detection and Response) solutions and user suspicion.

Advanced Evasion and Environment-Gated Decryption
Once the rogue DLL is loaded, it executes a feature-rich loader designed to make life difficult for security researchers. The loader employs a multi-layered defense strategy including anti-debugging, anti-sandboxing, and string encryption. It even goes as far as patching DbgUiRemoteBreakin() to prevent debuggers from attaching to the process.

To further frustrate automated analysis, the malware performs strict environmental validation. It will only execute if it is being called by the legitimate Logitech binary or its internal test binary, tclloader.exe. If it detects common analysis tools like rundll32.exe or regsvr32.exe, it immediately aborts.
Perhaps most impressively, TCLBANKER utilizes environment-gated payload decryption. The loader generates a unique “environment hash” based on specific system attributes:
- Hardware and disk size metrics
- Presence of debuggers
- The victim’s Brazilian locale and language settings
This hash is used as a component to derive the AES-256 decryption key for the final payload. If the malware is running in a sandbox or on a machine outside of Brazil, the hash will be incorrect, the decryption will fail silently, and the malicious payload will never unfold—effectively “ghosting” the researcher.
To bypass user-mode telemetry, the loader also replaces ntdll.dll in memory and patches EtwEventWrite, essentially blinding the operating system’s ability to log its activities.
The Payload: Session Hijacking and UI Overlay Attacks
The core of the infection is a .NET module called Tcl.Agent. This module uses Windows UI Automation APIs to monitor the active browser’s address bar. When a user visits one of the 59 targeted financial sites, the agent establishes a WebSocket connection to its Command-and-Control (C2) server at mxtestacionamentos[.]com.

Once connected, the attacker gains near-total control over the user’s session. They can capture screens, move the mouse, log keystrokes, and execute shell commands. Most deviously, the trojan employs a WPF-based full-screen overlay system. This allows attackers to display fake banking forms or convincing “Windows Update” screens that sit on top of the actual browser. These overlays can be set to be invisible to screen-sharing software, allowing a fraudster to guide a victim through a transaction in real-time while the victim sees nothing suspicious.
Self-Propagation: The Worm Modules
Beyond simple theft, the malware includes a secondary module, Tcl.WppBot, which enables the infection to spread like a worm through two primary channels:
- WhatsApp Bot: Hijacks existing WhatsApp Web sessions in Chromium browsers, injecting JavaScript to send malicious links and files to the victim’s Brazilian contacts.
- Outlook Bot: Uses COM automation to scrape the victim’s contact list and send high-trust phishing emails directly from the user’s actual account.
The entire operation leverages Cloudflare Workers to host its C2 infrastructure and payload delivery CDNs (such as documents.ef971a42.workers[.]dev), providing the attackers with a highly resilient and scalable backend.
Security Note: Organizations should monitor for unusual child processes stemming from legitimate signed binaries and keep a close eye on unexpected WebSocket connections to unknown domains.