Hackers Use TCLBanker To Attack 59 Financial Platforms
(Originally posted on : Crypto News – iGaming.org )
Hackers are using TCLBanker, a Windows trojan tied to tainted Microsoft installation packages, to target banking, fintech and cryptocurrency platforms.
Good to Know
- TCLBanker monitors visits to 59 targeted financial platforms.
- The malware can spread through WhatsApp and Microsoft Outlook.
- Fake overlay screens collect logins, PINs, phone numbers and other sensitive details.
Elastic Security Labs found the trojan and believes it has grown out of the older Maverick and Sorvepotel malware family. BleepingComputer reports that the campaign appears focused on Brazil, where the malware watches browser activity for visits to targeted apps and sites.
TCLBanker does not wait for a user to open a banking page by chance. It checks the browser address bar every second. Once someone opens one of the targeted platforms, the malware connects to a command-and-control server through a WebSocket session and gives operators remote access.
Fake Screens And Remote Control Drive The Attack
The main risk comes from how much control TCLBanker gives attackers. Operators can stream the screen live, take screenshots, log keystrokes, hijack clipboard data, run shell commands, browse files and control the mouse and keyboard remotely.
New players only. Exclusive Welcome Bonus of up to $2,500
That makes the malware dangerous for online banking, crypto wallets and fintech accounts. A copied wallet address, typed password or one-time code can all become exposed during an active session.
TCLBanker also uses fake overlay screens to trick users. Those screens can imitate credential prompts, PIN pads, bank support waiting pages, Windows Update messages and progress bars. The goal stays the same each time: collect private account data while making the screen look normal.
Before it begins deeper activity, the trojan checks timezone, keyboard layout and locale on the infected device. Those checks help it decide whether the machine fits the campaign target.
The spread method adds another problem. TCLBanker includes worm modules that let it move automatically through WhatsApp and Outlook, giving attackers a path into new systems through apps people already trust.
Bitcoin 
Ethereum 
Tether 
BNB 
XRP 
USDC 
Solana 
TRON 
Figure Heloc 
Lido Staked Ether 
Dogecoin 
WhiteBIT Coin 
USDS 
Hyperliquid 
Cardano 
LEO Token 
Wrapped stETH 
Zcash 
Bitcoin Cash 
Wrapped Bitcoin 
Monero 
Binance Bridged USDT (BNB Smart Chain) 
Chainlink 
Wrapped Beacon ETH 
Canton 
Toncoin 
Stellar 
Wrapped eETH 
USD1 
Dai 
sUSDS 
Ethena USDe 
Litecoin 
Sui 
Coinbase Wrapped BTC 
MemeCore 
Avalanche 
Hedera 
WETH 
Rain 
PayPal USD 
Shiba Inu 
USDT0 
Cronos 
Global Dollar 
Circle USYC 
Tether Gold 
BlackRock USD Institutional Digital Liquidity Fund 
Bittensor 
Uniswap 
Ethena Staked USDe 
Polkadot 
PAX Gold 
Mantle 
World Liberty Financial 
NEAR Protocol 
Ondo US Dollar Yield 
HTX DAO 
Falcon USD 
OKB 
Aster 
Little Pepe 
syrupUSDC 
Pi Network 
Ondo 
Sky 
Pepe 
Ripple USD 
USDD 
Internet Computer 
Ethereum Classic 
Bitget Token 
Aave 
BFUSD 
Quant 
Morpho 
KuCoin 
USDtb 
Janus Henderson Anemoy Treasury Fund 
Jupiter Perpetuals Liquidity Provider Token 
Cosmos Hub 
United Stables 
Spiko EU T-Bills Money Market Fund 
Superstate Short Duration U.S. Government Securities Fund (USTB) 
Algorand 
Jito Staked SOL 
POL (ex-MATIC) 
Ethena 
Kelp DAO Restaked ETH 
Blockchain Capital 
Render 
Binance-Peg WETH 
Kaspa 
Rocket Pool ETH 
NEXO 
Stable 
Binance Bridged USDC (BNB Smart Chain) 
Worldcoin 
Flare 
Wrapped BNB