A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.