Coyote

Coyote is a Windows banking trojan primarily targeting users in Brazil. First reported in February 2024, it was initially distributed as a Windows application updater built with the Squirrel installer framework. Reported infection chains include a Squirrel-based installer launching a Node.js/Electron application with obfuscated JavaScript, staging signed binaries, using DLL sideloading involving libcef.dll, and a Nim-based loader that unpacks a final-stage .NET payload for in-memory execution via the CLR. Later reporting also links Coyote-related activity to malicious LNK files and multi-stage PowerShell delivery chains.

Coyote targets users of more than 60 banking institutions, with one report citing 61 monitored Brazilian applications and another noting expansion to 1,030 sites and 73 financial institutions. It monitors running applications, browser sessions, and banking websites, then contacts its C2 when a targeted banking application or site is accessed. Its capabilities include credential theft, keylogging, screenshot capture, fake banking overlays and phishing windows, requesting bank card passwords, process termination, blocking the machine with a fake update screen, mouse control, and system shutdown. Multiple reports also state that it can harvest credentials from banks and cryptocurrency exchanges.

A notable evolution is Coyote’s abuse of Microsoft Windows UI Automation (UIA), described as the first confirmed malware known to weaponize the Windows accessibility framework in the wild to interact with victims’ browsers and extract sensitive information. Reporting also states it can serve overlays on login pages associated with financial enterprises.

Persistence mechanisms reported for Coyote include abuse of Windows logon scripts via HKCU\Environment\UserInitMprLogonScript and reuse of obs-browser-page.exe across reboots. C2 communications have been described as using SSL with mutual authentication, with an attacker-issued certificate stored as an encrypted .NET resource and decrypted via the .NET X509 library. Kaspersky reported that up to 90% of observed infections originated from Brazil and detects the malware as HEUR:Trojan-Banker.MSIL.Coyote.gen.

Coyote is repeatedly discussed alongside other Brazilian banking malware families including Grandoreiro, Mekotio, Maverick, and GoPix. Multiple sources note code and behavioral overlaps between Coyote and Maverick, with Maverick assessed by some researchers as an evolution of Coyote. Sophos and Trend Micro also reported possible links between Coyote and WhatsApp-propagated Brazil-focused campaigns such as Water Saci/SORVEPOTEL, though those links were described as under investigation or not definitive.

Known infrastructure directly mentioned in the content includes the domain cloridatosys[.]com, linked to the Coyote banking trojan, and reporting that BlackBerry published 18 domains associated with its infrastructure. Additional high-confidence indicators from the content include the registry path HKCU\Environment\UserInitMprLogonScript, the sideloading target libcef.dll, the persistence binary obs-browser-page.exe, and the detection name HEUR:Trojan-Banker.MSIL.Coyote.gen.