Coyote malware is spreading rapidly, now attacking over 1,000 websites and 73 financial institutions. A recent report revealed that Brazilian Windows users are its primary target. This dangerous banking Trojan is designed to steal sensitive information, including login credentials and financial data.
Once installed, Coyote can record keystrokes, take screenshots, and display phishing overlays. These tactics help cybercriminals steal data from banking and cryptocurrency platforms. The malware is spread through Windows Shortcut (LNK) files containing hidden PowerShell commands.
How Coyote Infects Devices
Originally discovered in early 2024, Coyote has evolved. It first used Squirrel installers to run a Node.js application, which launched a malicious Nim-based loader. However, its latest attack method uses LNK files that execute PowerShell commands. These commands download a second-stage payload from a remote server.
Once active, Coyote modifies system settings to maintain access. It alters the Windows registry to run automatically at startup. Additionally, it gathers system data and scans for installed antivirus programs. This information is then sent to a remote command-and-control server.
New Features and Expanding Targets
The latest Coyote variant has a larger target list than before. It now includes major financial platforms, hotels, and cryptocurrency exchanges. If a victim visits a targeted site, the malware connects to a hacker-controlled server to decide its next move. Depending on the situation, it may log keystrokes, capture screens, or display fake login pages.
How to Stay Safe
To prevent malware infections, users should avoid downloading suspicious files or clicking on unknown links. Always keep antivirus software updated and enable multi-factor authentication (MFA) for financial accounts. Organizations should also train employees to recognize phishing attempts and use advanced security tools to detect threats early.
