TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

Elastic Security Labs documents TCLBANKER (REF3076), a sophisticated Brazilian banking trojan family with a feature-rich anti-analysis loader that deploys a .NET banking agent (WPF full-screen overlays for operator-driven social engineering) and worm modules that abuse WhatsApp Web and Outlook for mass distribution; the campaign uses Cloudflare Workers for C2 and file hosting, targets 59 Brazilian financial domains, and includes multiple IOCs, persistence, and self-update mechanisms.