New Brazilian Banking Trojan Targets 59 Platforms via Messaging Apps
AI-generated from multiple sources. Verify before acting on this reporting.
SAO PAULO — A previously undocumented banking trojan identified as TCLBANKER is actively targeting 59 financial institutions across Brazil, utilizing WhatsApp and Outlook worms to compromise user credentials and execute remote control tasks on banking, fintech, and cryptocurrency platforms.
Security researchers identified the threat cluster, attributed to the group Water Saci, on May 8, 2026. The malware operates by infiltrating devices through malicious links distributed via messaging services and email clients. Once installed, TCLBANKER functions to harvest financial login information and grant attackers administrative access to victim systems.
The campaign represents a significant escalation in the sophistication of cyberattacks targeting the Brazilian financial sector. The trojan is capable of interacting with a wide array of digital banking interfaces, allowing threat actors to monitor transactions and initiate unauthorized transfers. Researchers note that the malware's ability to spread through Outlook worms suggests a coordinated effort to penetrate corporate networks as well as individual consumer accounts.
Trend Micro, Elastic Security Labs, and independent security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus contributed to the analysis of the threat. The group Water Saci has been linked to previous operations in the region, though this specific strain of malware marks a new development in their toolkit. The attribution points to a localized threat actor with specific knowledge of Brazilian banking infrastructure and communication habits.
Financial institutions in Brazil are currently assessing the scope of the intrusion. The targeting of 59 distinct platforms indicates a broad campaign rather than isolated incidents. The use of WhatsApp, a dominant communication tool in the country, highlights the attackers' strategy of leveraging trusted applications to bypass security protocols. Outlook worms further complicate the threat landscape by introducing a vector that can propagate within organizational email chains.
The malware's remote control capabilities allow operators to manipulate sessions in real-time, potentially bypassing multi-factor authentication measures if the user is already logged in. This functionality poses a direct risk to the integrity of digital wallets and cryptocurrency exchanges, sectors that have seen increased adoption in Brazil over the last year.
As of now, the full extent of the data compromised remains unclear. Security teams are working to identify affected users and patch vulnerabilities exploited by the worm variants. The emergence of TCLBANKER raises questions about the resilience of current security measures against localized, highly targeted campaigns. Authorities have not yet announced any arrests or containment strategies, leaving the duration of the campaign and the total number of victims unknown.