Cyber Security News

Coyote Banking Malware: Abusing Windows LNK Files to Deploy Malicious Scripts

A sophisticated cyberattack campaign involving the Coyote Banking Trojan has been discovered by FortiGuard Labs, with Microsoft Windows users, particularly in Brazil, as its primary targets.

The attack utilizes malicious LNK (shortcut) files embedded with PowerShell commands to execute staged operations that ultimately deploy the Coyote Trojan.

Technical Insights into the LNK File Attack Mechanism

Once installed, this malware gains unauthorized control over the victim’s device, harvesting sensitive information from more than 70 financial applications and websites.

It employs keylogging, phishing overlays, and screenshot capture to compromise user credentials.

These advanced capabilities highlight the Trojan’s potential to escalate global financial cybersecurity threats.

The initial stage of the attack begins with the LNK file executing a PowerShell script to connect to a remote server. This script decodes and executes embedded shellcode to initiate subsequent stages of the operation.

Coyote Banking MalwareCoyote Banking Malware
LNK File

By leveraging metadata such as “Machine ID” and MAC addresses, researchers traced connections between multiple LNK files, shedding light on the broader attack structure.

The second stage involves a custom DLL file functioning as a loader. Using functions like VirtualAllocEx and WriteProcessMemory, the loader injects additional malicious payloads executed remotely via CreateRemoteThread.

The payload deploys an MSIL file that establishes persistence by modifying the registry, ensuring the malware’s reactivation with each system reboot.

Registry’s setting

During this stage, the Trojan gathers basic system information, evaluates antivirus protections, and communicates with a Command-and-Control (C2) server.

Coyote Trojan’s Expanded Capabilities and Targeting Approach

The final payload expands the Coyote Trojan’s functionality, featuring username identification, virtual environment detection, and a broadened target list of over 1,000 websites and 73 financial platforms.

The Trojan continuously monitors active windows and engages the C2 server when victims access targeted sites.

It can execute various commands, including taking screenshots, injecting phishing overlays, and simulating user actions to extract sensitive data.

Additionally, the malware communicates with the C2 server to receive instructions, such as disabling security features, shutting down the victim’s device, or deploying ransomware-like tactics.

Notably, the C2 servers employed such as geraatualiza[.]com and masterdow[.]com operate over secure HTTPS connections via port 443, complicating detection efforts.

The malware’s modular design enables dynamic updates, extending its lifecycle and adaptability to evade security measures.

The Coyote Trojan represents a highly advanced, multi-stage threat that poses severe risks to financial systems.

Its capabilities for persistence, information theft, and dynamic targeting underscore the necessity for strengthened cybersecurity protocols.

Organizations and individuals must remain vigilant, employ updated antivirus solutions, and incorporate robust detection methods to mitigate risks.

Fortinet’s advanced protections are actively preventing this malware through its FortiGuard Antivirus engine and Web Filtering services.

Additionally, organizations are advised to leverage training resources like Fortinet’s Certified Fundamentals (FCF) program to enhance awareness of phishing and other cybersecurity threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing over…

1 hour ago

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

12 hours ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

12 hours ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

12 hours ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

12 hours ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

16 hours ago