home.social

#bankingtrojan — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #bankingtrojan, aggregated by home.social.

  1. Inside Banana RAT: From Build Server to Banking Fraud

    An MDR investigation successfully mapped the complete operational infrastructure of Banana RAT, a Brazilian banking trojan operated by threat cluster SHADOW-WATER-063. The investigation uncovered both server-side and client-side components, revealing a sophisticated FastAPI-based polymorphic payload generation system that produces hash-unique builds to evade detection. The malware employs layered obfuscation, AES-wrapped payloads, and fileless PowerShell execution. Once deployed, it enables operator-driven fraud through remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception specifically targeting Brazilian financial institutions. The tooling exclusively targets 16 Brazilian banks and crypto exchanges, with all operator artifacts written in Brazilian Portuguese, indicating a financially motivated actor operating within the Tetrade banking trojan ecosystem.

    Pulse ID: 6a0ce3af84b924ad15e27920
    Pulse Link: otx.alienvault.com/pulse/6a0ce
    Pulse Author: AlienVault
    Created: 2026-05-19 22:26:55

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CryptoExchange #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Trojan #bot #AlienVault

  2. Banking Trojan Targets Crypto Firms with Sophisticated Attacks

    A new banking Trojan, dubbed TCLBanker, is wreaking havoc on crypto and finance platforms, allowing hackers to remotely control infected systems and steal sensitive info. This sophisticated attack, linked to North Korea's notorious Lazarus Group, has already led to the largest crypto platform hack of 2026.

    osintsights.com/banking-trojan

    #Tclbanker #BankingTrojan #LazarusGroup #NorthKorea #CryptoFirms

  3. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs

    Pulse ID: 6a01c05dfa507c2e736c894e
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: CyberHunter_NL
    Created: 2026-05-11 11:41:17

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CyberSecurity #ElasticSecurityLabs #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #CyberHunter_NL

  4. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs

    Pulse ID: 6a01c05dfa507c2e736c894e
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: CyberHunter_NL
    Created: 2026-05-11 11:41:17

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CyberSecurity #ElasticSecurityLabs #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #CyberHunter_NL

  5. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs

    Pulse ID: 6a01c05dfa507c2e736c894e
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: CyberHunter_NL
    Created: 2026-05-11 11:41:17

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CyberSecurity #ElasticSecurityLabs #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #CyberHunter_NL

  6. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs

    Pulse ID: 6a01c05dfa507c2e736c894e
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: CyberHunter_NL
    Created: 2026-05-11 11:41:17

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CyberSecurity #ElasticSecurityLabs #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #CyberHunter_NL

  7. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs

    Pulse ID: 6a01c05dfa507c2e736c894e
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: CyberHunter_NL
    Created: 2026-05-11 11:41:17

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CyberSecurity #ElasticSecurityLabs #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #CyberHunter_NL

  8. New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

    A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

    Pulse ID: 6a019c5f0a3344d92c4302a3
    Pulse Link: otx.alienvault.com/pulse/6a019
    Pulse Author: AlienVault
    Created: 2026-05-11 09:07:43

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

  9. New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

    A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

    Pulse ID: 6a019c5f0a3344d92c4302a3
    Pulse Link: otx.alienvault.com/pulse/6a019
    Pulse Author: AlienVault
    Created: 2026-05-11 09:07:43

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

  10. New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

    A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

    Pulse ID: 6a019c5f0a3344d92c4302a3
    Pulse Link: otx.alienvault.com/pulse/6a019
    Pulse Author: AlienVault
    Created: 2026-05-11 09:07:43

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

  11. New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

    A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

    Pulse ID: 6a019c5f0a3344d92c4302a3
    Pulse Link: otx.alienvault.com/pulse/6a019
    Pulse Author: AlienVault
    Created: 2026-05-11 09:07:43

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

  12. New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

    A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

    Pulse ID: 6a019c5f0a3344d92c4302a3
    Pulse Link: otx.alienvault.com/pulse/6a019
    Pulse Author: AlienVault
    Created: 2026-05-11 09:07:43

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

  13. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

    Pulse ID: 6a016000ee4c7bcaf4f232e3
    Pulse Link: otx.alienvault.com/pulse/6a016
    Pulse Author: Tr1sa111
    Created: 2026-05-11 04:50:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #Tr1sa111

  14. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

    Pulse ID: 6a016000ee4c7bcaf4f232e3
    Pulse Link: otx.alienvault.com/pulse/6a016
    Pulse Author: Tr1sa111
    Created: 2026-05-11 04:50:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #Tr1sa111

  15. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

    Pulse ID: 6a016000ee4c7bcaf4f232e3
    Pulse Link: otx.alienvault.com/pulse/6a016
    Pulse Author: Tr1sa111
    Created: 2026-05-11 04:50:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #Tr1sa111

  16. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

    Pulse ID: 6a016000ee4c7bcaf4f232e3
    Pulse Link: otx.alienvault.com/pulse/6a016
    Pulse Author: Tr1sa111
    Created: 2026-05-11 04:50:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #Tr1sa111

  17. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

    Pulse ID: 6a016000ee4c7bcaf4f232e3
    Pulse Link: otx.alienvault.com/pulse/6a016
    Pulse Author: Tr1sa111
    Created: 2026-05-11 04:50:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Outlook #Trojan #WhatsApp #bot #Tr1sa111

  18. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

    A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

    Pulse ID: 69fb97e531a95b262c4925aa
    Pulse Link: otx.alienvault.com/pulse/69fb9
    Pulse Author: AlienVault
    Created: 2026-05-06 19:35:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

  19. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

    A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

    Pulse ID: 69fb97e531a95b262c4925aa
    Pulse Link: otx.alienvault.com/pulse/69fb9
    Pulse Author: AlienVault
    Created: 2026-05-06 19:35:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

  20. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

    A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

    Pulse ID: 69fb97e531a95b262c4925aa
    Pulse Link: otx.alienvault.com/pulse/69fb9
    Pulse Author: AlienVault
    Created: 2026-05-06 19:35:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

  21. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

    A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

    Pulse ID: 69fb97e531a95b262c4925aa
    Pulse Link: otx.alienvault.com/pulse/69fb9
    Pulse Author: AlienVault
    Created: 2026-05-06 19:35:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

  22. TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

    A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

    Pulse ID: 69fb97e531a95b262c4925aa
    Pulse Link: otx.alienvault.com/pulse/69fb9
    Pulse Author: AlienVault
    Created: 2026-05-06 19:35:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

  23. JanelaRAT an Advanced Banking Trojan Targeting Financial Users

    JanelaRAT is an evolving Remote Access Trojan targeting financial users in Latin America using multi stage infection chains, phishing and DLL sideloading to steal banking and cryptocurrency data while employing evasion, persistence and interactive techniques to bypass security controls.

    Pulse ID: 69e48460c771926e0e7231bc
    Pulse Link: otx.alienvault.com/pulse/69e48
    Pulse Author: cryptocti
    Created: 2026-04-19 07:29:36

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #BankingTrojan #CyberSecurity #InfoSec #LatinAmerica #OTX #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #SideLoading #Trojan #bot #cryptocurrency #cryptocti

  24. 🚨 Alert: The new #EternidadeStealer is using WhatsApp to spread malicious files to steal banking and crypto data from users. Watch out and don’t open unexpected attachments, plus verify messages from contacts.

    Read: hackread.com/eternidade-steale

    #CyberSecurity #Malware #WhatsApp #BankingTrojan #InfoSec