TCLBANKER Trojan Spreads via Compromised Messaging Accounts, Linked to Known Malware Family

BTCC / BTCC Square / Global Cryptocurrency /

Author:

Release Time:

2026-05-10 03:11:01

BTCCSquare news:

A new malware campaign labeled REF3076 has been identified, spreading the TCLBANKER trojan through victims' own messaging accounts. Researchers have linked this threat to the MAVERICK/SORVEPOTEL malware family based on shared infrastructure and code patterns.

The trojan disguises itself as a legitimate Logi AI Prompt Builder installer, distributed via ZIP files. It employs DLL sideloading techniques to execute malicious files masquerading as Flutter plugins. Once activated, the malware deploys two protected payloads: a banking module for financial theft and a worm module designed for self-propagation across systems.

Security analysts face significant obstacles in investigating TCLBANKER. The loader constructs a three-part fingerprint involving anti-debugging checks, system resource analysis, and language settings. This fingerprint generates decryption keys for embedded payloads, with failure conditions triggering silent termination if sandbox environments or debugging tools are detected.

By:

Log in to Reply

Physical Crypto ’Wrench Attacks’ Surge 41% in Early 2026, Europe Dominates Incidents

Articles on this site are sourced from public networks or curated by AI for informational purposes only and do not represent BTCC’s views. Original rights belong to the respective authors. For copyright concerns, please contact [email protected]. BTCC assumes no liability for the accuracy, timeliness, or completeness of this information, and disclaims all liability arising from reliance on such content. This content is for reference only and should not be taken as investment, legal, or commercial advice.