Banking Trojan TCLBanker Targets Crypto Platforms, Expanding Threat to Digital‑Asset Firms
What Happened — Researchers at Elastic uncovered a new banking Trojan, TCLBanker, that masquerades as a fake installer for “Logitech AI Prompt Builder.” The malware actively scans for 59 cryptocurrency, banking and fintech web sites, then hijacks browsers, captures credentials, keystrokes and clipboard data, and can remotely control the infected host. It also spreads via compromised WhatsApp Web and Microsoft Outlook accounts.
Why It Matters for TPRM —
- Credential‑theft capabilities give low‑level actors access to high‑value crypto accounts, raising third‑party risk for any vendor handling digital‑asset transactions.
- Self‑propagating features increase the attack surface across supply‑chain partners (e.g., SaaS wallets, KYC providers).
- The campaign is confirmed in Brazil and may expand globally, threatening any organization with crypto‑related services.
Who Is Affected — Financial‑services firms, crypto exchanges, fintech SaaS platforms, digital‑asset custodians, and any third‑party service that integrates with crypto payment APIs.
Recommended Actions —
- Review all third‑party contracts for crypto‑related services and verify they enforce multi‑factor authentication and secure installer verification.
- Conduct phishing‑simulation testing and tighten email‑gateway controls for Outlook and WhatsApp Web usage.
- Deploy endpoint detection and response (EDR) solutions capable of detecting browser‑hooking behavior and remote‑access tools.
Technical Notes —
- Attack vector: malicious installer delivered via phishing (fake “Logitech AI Prompt Builder”).
- Capabilities: browser activity monitoring, screen capture, keylogging, clipboard harvesting, credential‑stealing overlays, remote control, and lateral spread through WhatsApp Web and Outlook.
- No known CVE; threat relies on social‑engineering and existing legitimate protocols.
Source: DataBreachToday