Water Saci's TCLBANKER Worm Hits 59 Financial Platforms via WhatsApp and Outlook

**Water Saci** is a financially motivated cybercriminal group based in Brazil, assessed by Trend Micro as active since at least July 2019. The name references Saci-Pererê, a figure from Brazilian folklore, consistent with security researchers' practice of naming Brazilian threat actors after regional cultural elements. Analysis of command-line artifacts across Water Saci tools confirms native Portuguese-speaking operators working exclusively on Brazilian targets, with no documented campaigns against non-Brazilian organizations in seven years of activity.

The group maintains a sustained development pipeline. Water Saci's malware has passed through at least three documented generations: the original SORVEPOTEL family, which used browser overlay techniques to harvest credentials from approximately 30 financial institutions; the November 2025 Maverick campaign, which added WhatsApp Web worm propagation and expanded targeting to approximately 45 platforms; and now TCLBANKER, which adds the Outlook email bot and brings the monitored financial platform count to 59. In late 2025, Trend Micro documented Water Saci using AI tools to convert PowerShell propagation routines into Python variants, producing functional malware iterations in days rather than weeks. For context on the broader trend of AI-assisted malware development by financially motivated actors, see the [Slopoly AI-generated malware analysis from Hive0163](/blog/slopoly-ai-generated-malware-hive0163-interlock-ransomware).

Water Saci has faced no public indictments, sanctions, or law enforcement disruptions as of May 2026. The group has accumulated a campaign history across more than 1,000 affected companies and 1.5 million compromised individuals according to Trend Micro telemetry. TCLBANKER's discovery in early operational stages, with debug logging paths and test process names still present in production binaries, suggests Water Saci expects significant future campaign expansion, not wind-down.

**TCLBANKER** deploys a full-featured banking trojan after DLL side-loading and anti-analysis validation succeed. The core module monitors browser address bars across Chrome, Firefox, Edge, Brave, Opera, and Vivaldi for URLs matching any of 59 hardcoded financial institution domains. When a match is detected, the trojan deploys a WPF-based full-screen overlay covering the legitimate banking session.

The overlay framework handles credential theft across three display modes. A phone and PIN input mode renders Brazilian-format masked input fields, collecting banking authentication codes. A vishing wait screen displays a fake "Estamos entrando em contato" message, pausing the victim while operators conduct a real-time phone fraud call. A fake Windows Update progress animation runs for approximately 15 minutes with randomized percentage increments, maintaining victim confidence during exfiltration. All overlays use the Windows WDA_EXCLUDEFROMCAPTURE API flag, making them invisible to screenshot tools and screen recording software — a technique that defeats incident response attempts to document credential theft in progress.

Beyond credential harvesting, TCLBANKER provides operators with complete remote control. The C2 connection runs over WebSocket to Cloudflare Workers infrastructure and supports 16 opcodes including screenshot capture, continuous screen streaming, keylogging, clipboard interception, process enumeration, and full mouse and keyboard remote control. The campaign GUID 70e4f943-e323-4484-97d7-35401bf6812c serves as an HMAC-SHA256 signing key for C2 authentication. Operators access credentials in real time without waiting for exfiltration, combining overlay fraud with live operator monitoring for maximum yield per infected session.

The anti-analysis subsystem runs in parallel with trojan operations. Six anti-debugging implementations check PEB BeingDebugged flags, heap tail flags, ProcessDebugPort handles, hardware breakpoint registers DR0 through DR3, performance counter delta timing, and DbgUiRemoteBreakin function patching. ETW telemetry is patched via xor eax, eax; ret instruction injection, eliminating the kernel logging channel that most endpoint detection tools rely on for behavioral alerts. For context on how credential-theft campaigns chain browser session access into downstream financial fraud, see the analysis of [malicious Chrome extensions stealing OAuth2 tokens](/blog/malicious-chrome-extensions-oauth2-token-theft).

Water Saci operates a five-stage attack chain from initial delivery through worm propagation, with each stage mapped to documented MITRE ATT&CK techniques.

TCLBANKER monitors 59 Brazilian banking, fintech, and cryptocurrency platforms, with target URLs encoded within the malware binary via XOR with a 16-byte key. Prior Water Saci campaigns documented by Trend Micro confirm explicit targeting of Santander Brazil, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco — five of Brazil's largest retail banking institutions. The 59-platform count represents an increase from approximately 45 platforms targeted in the November 2025 Maverick variant and roughly 30 in the original SORVEPOTEL campaigns.

Fintech and cryptocurrency platforms constitute the growth area in Water Saci targeting. Brazil hosts one of the largest cryptocurrency retail markets in Latin America, and fintech adoption among Brazilian consumers ranks among the highest in the region. Water Saci's pattern of expanding its target list with each malware generation suggests the 59-platform figure will increase as TCLBANKER matures from its current early operational stage.

The worm propagation math amplifies targeting risk beyond direct infections. A single compromised employee in a 50-person finance team triggers TCLBANKER, which messages up to 3,000 WhatsApp contacts and the entire Outlook contact list simultaneously. Recipients receive those messages from a trusted contact's authenticated account, removing the primary signal people use to reject phishing. Organizational risk scales with the infected employee's contact network size, not solely with the number of directly targeted users.

The language gate provides some geographic protection. TCLBANKER validates Brazilian Portuguese locale (LANGID 0x0416) and UTC timezone alignment between -5.0 and -2.0 hours before activating the main payload. Organizations outside Brazil with no Portuguese-speaking employees on Brazilian-timezone systems face minimal direct exposure, but any organization maintaining Brazilian subsidiaries, employees, or banking relationships should assess TCLBANKER risk directly.

Elastic Security Labs published the following confirmed indicators from REF3076 analysis as of May 8, 2026. The entire campaign infrastructure uses a single Cloudflare Workers account identified as ef971a42. Blocking all *.ef971a42.workers.dev subdomains at your DNS resolver or web proxy severs C2 communication and breaks the campaign update mechanism in a single control.

The development artifact path C:\temp\tcl-debug.txt hardcoded in TCLBANKER binaries confirms debug artifacts remain in production builds, providing a reliable static analysis signal. The scheduled task named RuntimeOptimizeService combined with an installation path under %LocalAppData%\LogiAI and no corresponding legitimate Logitech AI installation is a definitive behavioral indicator of active infection.

Elastic's YARA rule Windows.Trojan.TCLBanker and prevention rules including "NTDLL Memory Protection Change via Unsigned DLL," "NTDLL library loaded for a second time," and "Potential NTDLL Memory Unhooking" are available through the Elastic Security detection rules repository on GitHub.

Elastic Security Labs released detection rules for TCLBANKER available in the Elastic Security detection engine. The combination of ntdll unhooking behavior, ETW patching, and DLL side-loading from a Logitech installation path creates distinctive behavioral signals that modern EDR platforms can detect when properly configured. The critical detection gap: TCLBANKER validates all anti-sandbox checks before generating any behavioral activity. Sandbox environments running samples for two to three minutes may observe no malicious behavior. Allow sandbox execution through the full 450ms timing baseline before classifying a sample as benign.

Defender priorities in order of implementation speed and coverage:

Water Saci TCLBANKER banking trojan is the most technically sophisticated iteration of a seven-year-old financially motivated campaign that has never been disrupted by law enforcement. Three factors make this campaign materially different from standard banking fraud operations.

The dual-worm propagation model breaks traditional phishing economics. Standard phishing campaigns require Water Saci to maintain distribution infrastructure and accept high delivery failure rates. TCLBANKER converts every infected device into a self-funded distribution node, sending infection attempts from the victim's authenticated accounts to their existing contact network. Recipients apply zero skepticism to messages from known contacts. The infection chain exploits earned trust rather than fabricating it.

The WPF overlay framework defeats the primary user defense against banking fraud: recognizing when a website looks wrong. TCLBANKER never presents a fake website. It renders a full-screen WPF window over the real, legitimate banking session, with the genuine bank interface visible through cutout regions. Users authenticate to the real bank while TCLBANKER captures credentials through the overlay. The WDA_EXCLUDEFROMCAPTURE flag makes the overlay invisible to screenshot tools, meaning users and incident responders cannot document what the victim saw during the session.

The early operational stage is the risk accelerator here. Elastic Security Labs confirmed debug artifacts still present in TCLBANKER production binaries as of May 8, 2026, including test process names and the hardcoded log path C:\temp\tcl-debug.txt. Water Saci's development cadence across prior campaigns shows these artifacts disappear as campaigns mature and scale. Organizations that respond now face a significantly smaller attack surface than those waiting for the campaign to exit early stages.

Water Saci TCLBANKER banking trojan has just entered its operational expansion phase, targeting 59 Brazilian financial platforms through a WhatsApp-and-Outlook worm that converts victims into unwilling distribution nodes against their own 3,000-person contact networks. Three takeaways: TCLBANKER's DLL side-loading against signed Logitech software bypasses application control policies that trust signed executables; the WDA_EXCLUDEFROMCAPTURE overlay flag makes active credential theft invisible to screenshot investigation; and Water Saci's confirmed debug artifacts mean the campaign will only grow more sophisticated from this point. Block *.ef971a42.workers.dev at your DNS resolver and search for RuntimeOptimizeService scheduled tasks on every Windows endpoint before this week ends.