Logitech G HUB Critical Flaw Lets Attackers Deploy Banking Trojan
Key Takeaways A new banking trojan, TCLBANKER, is being distributed via trojanized Logitech G HUB installers, leveraging DLL sideloading. The malware specifically targets banking, fintech, and...
Key Takeaways
- A new banking trojan, TCLBANKER, is being distributed via trojanized Logitech G HUB installers, leveraging DLL sideloading.
- The malware specifically targets banking, fintech, and cryptocurrency users in Brazil, monitoring 59 financial domains.
- TCLBANKER features sophisticated anti-analysis techniques and self-spreading worm modules that exploit WhatsApp Web and Microsoft Outlook to propagate.
- The campaign is actively evolving, with attackers utilizing Cloudflare Workers for flexible command-and-control infrastructure.
Sophisticated Banking Trojan Leverages Logitech Installer for Covert Deployment
A novel banking trojan, identified as TCLBANKER, has emerged in the threat landscape, employing a highly deceptive distribution mechanism. Attackers are embedding this malware within what appears to be a legitimate, digitally signed installer for Logitech’s G HUB software, effectively bypassing initial security checks. This campaign, tracked as REF3076, represents a significant escalation in malware delivery tactics, capitalizing on user trust in recognized software vendors.
Table Of Content
The infection sequence begins when a user executes a seemingly authentic Logitech application installer, often bundled within a ZIP file. Within this package, threat actors have weaponized the Logi AI Prompt Builder, a genuine Flutter-based application. They exploit a technique known as DLL sideloading to inject a malicious file into the application’s process. Upon execution, the legitimate application inadvertently loads the harmful DLL, initiating the malware’s operations without any overt indication to the user. Detailed analysis of this sophisticated campaign reveals the intricate operational tactics employed by the attackers.
Analysts at Elastic Security Labs were instrumental in identifying this new Brazilian banking trojan. Their assessment indicates that TCLBANKER is an advanced iteration of older malware families, specifically MAVERICK and SORVEPOTEL. Evidence suggests the campaign is in its nascent stages, with developer artifacts and incomplete phishing pages indicating ongoing infrastructure development by the threat actors.
TCLBANKER’s primary targets are individuals residing in Brazil who frequently access banking, fintech, and cryptocurrency platforms. The trojan operates by continuously monitoring the victim’s web browser, specifically looking for visits to any of 59 predefined financial domains.
Exploiting Trust: The Logitech Installer Deception
When a victim navigates to one of the targeted financial websites, TCLBANKER establishes a live connection with the attacker’s command and control (C2) server, granting the operator full control over the compromised system.
The capabilities of TCLBANKER extend far beyond simple credential harvesting. The malware can deploy convincing full-screen overlays that mimic legitimate banking interfaces, effectively freezing the user’s desktop to disorient them. Furthermore, it can terminate the Task Manager process, preventing victims from manually closing the malicious application. This coordinated approach is designed to facilitate seamless financial fraud from the attacker’s perspective.
The attackers meticulously crafted the infection chain to appear as innocuous as possible. The malicious ZIP archive contains an MSI installer masquerading as the Logi AI Prompt Builder. During installation, this trojanized package drops a malicious DLL named `screen_retriever_plugin.dll`, which imitates a genuine Flutter plugin and is automatically loaded when the application starts.
The loader component within this malicious DLL incorporates multiple anti-detection mechanisms. It performs checks for virtualized environments and sandboxes, verifies that the system’s default language is Brazilian Portuguese, and employs timing-based checks to identify emulation frameworks that accelerate sleep calls. If any of these conditions are not met, the malware self-terminates without leaving obvious traces, ensuring the payload only decrypts and executes on genuine, qualifying target systems.
Self-Spreading Worm Modules Amplify the Threat
A particularly concerning aspect of TCLBANKER is its inherent ability to propagate itself. The malware includes two distinct worm modules designed to spread to a victim’s contacts through trusted communication channels.
The first module hijacks active WhatsApp Web sessions within the victim’s browser, silently sending messages to Brazilian contacts that contain a link to download the malware. The second module leverages Microsoft Outlook automation, sending sophisticated phishing emails directly from the victim’s compromised email account.
The effectiveness of these self-spreading mechanisms is amplified by their ability to originate from known and trusted senders, making them significantly harder for conventional security filters to detect. The Outlook bot, for instance, first exfiltrates the victim’s contact list before dispatching highly personalized and authentic-looking emails.
Elastic researchers noted that the entire command-and-control and file-serving infrastructure for TCLBANKER is hosted on Cloudflare Workers under a single account. This configuration provides the operators with considerable flexibility, allowing them to rapidly rotate their infrastructure as needed to evade detection.
What You Should Do
- Maintain Software Updates: Ensure all operating systems, applications, and security software are kept up-to-date with the latest patches and detection signatures.
- Exercise Caution with Downloads: Be extremely wary of ZIP files or MSI installers received via messaging applications (like WhatsApp) or email, even if they appear to come from known contacts. Always verify the legitimacy of the sender and the file before opening or executing.
- Monitor for Unusual Activity: Implement and monitor for suspicious scheduled tasks, unexpected DLL loads associated with legitimate software, and unusual outbound network connections. These can be early indicators of compromise.
- Educate Users: Conduct regular cybersecurity awareness training for employees, emphasizing phishing detection, social engineering tactics, and the risks associated with untrusted downloads.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626 | TCLBanker loader component (screen_retriever_plugin.dll) |
| SHA-256 | 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059 | TCLBanker loader component (screen_retriever_plugin.dll) |
| SHA-256 | 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40 | TCLBanker loader component (screen_retriever_plugin.dll) |
| SHA-256 | 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394 | TCLBanker initial ZIP file (XXL_21042026-181516.zip) |
| Domain | campanha1-api.ef971a42[.]workers.dev | TCLBanker C2 |
| Domain | mxtestacionamentos[.]com | TCLBanker C2 |
| Domain | documents.ef971a42.workers[.]dev | TCLBanker file server |
| Domain | arquivos-omie[.]com | TCLBanker phishing page (under development) |
| Domain | documentos-online[.]com | TCLBanker phishing page (under development) |
| Domain | afonsoferragista[.]com | TCLBanker phishing page (under development) |
| Domain | doccompartilhe[.]com | TCLBanker phishing page (under development) |
| Domain | recebamais[.]com | TCLBanker phishing page (under development) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.