Elastic Security Labs has uncovered TCLBANKER, a sophisticated Brazilian banking trojan evolving from the MAVERICK and SORVEPOTEL families. Tracked under campaign REF3076, the malware utilizes an MSI installer that abuses DLL sideloading via a legitimate Logitech application to deploy two primary .NET modules: a feature-rich banking trojan and a specialized worm component for self-propagation. The infection chain is notably resilient, featuring environment-gated payload decryption that prevents execution within sandboxed or debugged environments. The trojan monitors browser activity to target 59 Brazilian financial and cryptocurrency domains, employing a WPF-based overlay framework for real-time social engineering. These overlays—ranging from credential prompts to fake Windows Update screens—are protected by anti-capture techniques to remain invisible to screen-sharing tools.…