TCLBANKER (REF3076): Brazilian Banking Trojan Evolves with WhatsApp/Outlook Worms

Has anyone dug into the latest Elastic Security Labs report on REF3076 (TCLBANKER)? It looks like the old "Maverick" banking trojan just got a significant facelift. What is particularly worrying is the reintroduction of the SORVEPOTEL worm capabilities to propagate via WhatsApp and Outlook.

This variant is aggressively targeting 59 specific banking, fintech, and crypto platforms. The worm component implies that a single compromised machine can quickly pivot to infect a victim's contact list, making containment a nightmare for SOC teams.

Relying on static signatures is usually pointless here given the obfuscation levels typical of Brazilian banking trojans. We need to focus on behavioral anomalies. Specifically, we should be hunting for legitimate communication apps spawning unauthorized shells or script interpreters.

Here is a basic KQL query I’m using to hunt for parent/child process anomalies involving Outlook and WhatsApp Desktop:

process where host.os.type == "windows" and
process.parent.name in ("outlook.exe", "WhatsApp.exe") and
process.name in ("powershell.exe", "cmd.exe", "wscript.exe", "mshta.exe") and
not process.executable : @"C:\Windows\System32\*" and
not process.command_line contains "--type=renderer"


I'm also curious if anyone has identified persistence mechanisms other than Registry Run keys yet? Given the scope of targets, are we seeing a shift back to endpoint worms after the ransomware hype?