Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
July 16, 2026
WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
July 16, 2026
Flipper Zero Add-On Detects Skimmers with Specter Tool
July 16, 2026
Home/Threats/Logitech G HUB Critical Flaw Lets Attackers Deploy Banking Trojan
Threats

Logitech G HUB Critical Flaw Lets Attackers Deploy Banking Trojan

Key Takeaways A new banking trojan, TCLBANKER, is being distributed via trojanized Logitech G HUB installers, leveraging DLL sideloading. The malware specifically targets banking, fintech, and...

Emy Elsamnoudy
Emy Elsamnoudy
May 8, 2026 4 Min Read
45 0

Key Takeaways

  • A new banking trojan, TCLBANKER, is being distributed via trojanized Logitech G HUB installers, leveraging DLL sideloading.
  • The malware specifically targets banking, fintech, and cryptocurrency users in Brazil, monitoring 59 financial domains.
  • TCLBANKER features sophisticated anti-analysis techniques and self-spreading worm modules that exploit WhatsApp Web and Microsoft Outlook to propagate.
  • The campaign is actively evolving, with attackers utilizing Cloudflare Workers for flexible command-and-control infrastructure.

Sophisticated Banking Trojan Leverages Logitech Installer for Covert Deployment

A novel banking trojan, identified as TCLBANKER, has emerged in the threat landscape, employing a highly deceptive distribution mechanism. Attackers are embedding this malware within what appears to be a legitimate, digitally signed installer for Logitech’s G HUB software, effectively bypassing initial security checks. This campaign, tracked as REF3076, represents a significant escalation in malware delivery tactics, capitalizing on user trust in recognized software vendors.

Table Of Content

  • Key Takeaways
  • Sophisticated Banking Trojan Leverages Logitech Installer for Covert Deployment
  • Exploiting Trust: The Logitech Installer Deception
  • Self-Spreading Worm Modules Amplify the Threat
  • What You Should Do
  • Indicators of Compromise (IoCs):-

The infection sequence begins when a user executes a seemingly authentic Logitech application installer, often bundled within a ZIP file. Within this package, threat actors have weaponized the Logi AI Prompt Builder, a genuine Flutter-based application. They exploit a technique known as DLL sideloading to inject a malicious file into the application’s process. Upon execution, the legitimate application inadvertently loads the harmful DLL, initiating the malware’s operations without any overt indication to the user. Detailed analysis of this sophisticated campaign reveals the intricate operational tactics employed by the attackers.

Analysts at Elastic Security Labs were instrumental in identifying this new Brazilian banking trojan. Their assessment indicates that TCLBANKER is an advanced iteration of older malware families, specifically MAVERICK and SORVEPOTEL. Evidence suggests the campaign is in its nascent stages, with developer artifacts and incomplete phishing pages indicating ongoing infrastructure development by the threat actors.

TCLBANKER’s primary targets are individuals residing in Brazil who frequently access banking, fintech, and cryptocurrency platforms. The trojan operates by continuously monitoring the victim’s web browser, specifically looking for visits to any of 59 predefined financial domains.

Exploiting Trust: The Logitech Installer Deception

When a victim navigates to one of the targeted financial websites, TCLBANKER establishes a live connection with the attacker’s command and control (C2) server, granting the operator full control over the compromised system.

The capabilities of TCLBANKER extend far beyond simple credential harvesting. The malware can deploy convincing full-screen overlays that mimic legitimate banking interfaces, effectively freezing the user’s desktop to disorient them. Furthermore, it can terminate the Task Manager process, preventing victims from manually closing the malicious application. This coordinated approach is designed to facilitate seamless financial fraud from the attacker’s perspective.

The attackers meticulously crafted the infection chain to appear as innocuous as possible. The malicious ZIP archive contains an MSI installer masquerading as the Logi AI Prompt Builder. During installation, this trojanized package drops a malicious DLL named `screen_retriever_plugin.dll`, which imitates a genuine Flutter plugin and is automatically loaded when the application starts.

The loader component within this malicious DLL incorporates multiple anti-detection mechanisms. It performs checks for virtualized environments and sandboxes, verifies that the system’s default language is Brazilian Portuguese, and employs timing-based checks to identify emulation frameworks that accelerate sleep calls. If any of these conditions are not met, the malware self-terminates without leaving obvious traces, ensuring the payload only decrypts and executes on genuine, qualifying target systems.

Self-Spreading Worm Modules Amplify the Threat

A particularly concerning aspect of TCLBANKER is its inherent ability to propagate itself. The malware includes two distinct worm modules designed to spread to a victim’s contacts through trusted communication channels.

The first module hijacks active WhatsApp Web sessions within the victim’s browser, silently sending messages to Brazilian contacts that contain a link to download the malware. The second module leverages Microsoft Outlook automation, sending sophisticated phishing emails directly from the victim’s compromised email account.

The effectiveness of these self-spreading mechanisms is amplified by their ability to originate from known and trusted senders, making them significantly harder for conventional security filters to detect. The Outlook bot, for instance, first exfiltrates the victim’s contact list before dispatching highly personalized and authentic-looking emails.

Elastic researchers noted that the entire command-and-control and file-serving infrastructure for TCLBANKER is hosted on Cloudflare Workers under a single account. This configuration provides the operators with considerable flexibility, allowing them to rapidly rotate their infrastructure as needed to evade detection.

What You Should Do

  • Maintain Software Updates: Ensure all operating systems, applications, and security software are kept up-to-date with the latest patches and detection signatures.
  • Exercise Caution with Downloads: Be extremely wary of ZIP files or MSI installers received via messaging applications (like WhatsApp) or email, even if they appear to come from known contacts. Always verify the legitimacy of the sender and the file before opening or executing.
  • Monitor for Unusual Activity: Implement and monitor for suspicious scheduled tasks, unexpected DLL loads associated with legitimate software, and unusual outbound network connections. These can be early indicators of compromise.
  • Educate Users: Conduct regular cybersecurity awareness training for employees, emphasizing phishing detection, social engineering tactics, and the risks associated with untrusted downloads.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA-256 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626 TCLBanker loader component (screen_retriever_plugin.dll)
SHA-256 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059 TCLBanker loader component (screen_retriever_plugin.dll)
SHA-256 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40 TCLBanker loader component (screen_retriever_plugin.dll)
SHA-256 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394 TCLBanker initial ZIP file (XXL_21042026-181516.zip)
Domain campanha1-api.ef971a42[.]workers.dev TCLBanker C2
Domain mxtestacionamentos[.]com TCLBanker C2
Domain documents.ef971a42.workers[.]dev TCLBanker file server
Domain arquivos-omie[.]com TCLBanker phishing page (under development)
Domain documentos-online[.]com TCLBanker phishing page (under development)
Domain afonsoferragista[.]com TCLBanker phishing page (under development)
Domain doccompartilhe[.]com TCLBanker phishing page (under development)
Domain recebamais[.]com TCLBanker phishing page (under development)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwarephishingSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

DarkMoon AI Platform Integrates 50+ Tools for Autonomous Pen Testing

Next Post

New Infostealer Attacks Use GitHub Releases for Evasion

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Zoom Windows Flient Flaw Lets Attackers Take Over Accounts via Network
July 16, 2026
TuxBot v3 IoT Botnet Hijacks Devices, Launches DDoS Attacks with LLM Code
July 16, 2026
Critical Windows Bug Lets Attackers Access SYSTEM Shell Without Credentials
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us