ClickCease Alert: Coyote Trojan Strike Compromises 61 Brazilian Banks

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Alert: Coyote Trojan Strike Compromises 61 Brazilian Banks

Wajahat Raja

February 23, 2024 - TuxCare expert team

Financial cyberattacks pose a significant threat to the stability of global economies and the security of financial institutions. In a recent cybersecurity development, a staggering 61 banks in Brazil have fallen victim to a sophisticated banking trojan known as Coyote Trojan. The malware, according to findings by Russian cybersecurity firm Kaspersky, employs a unique approach, utilizing the Squirrel installer, Node.js, and the relatively new Nim programming language for its operations.


Coyote Trojan’s Unconventional Tactics

Unlike its counterparts, Coyote sets itself apart by using the open-source Squirrel framework for installing and updating Windows applications. Departing from the commonly used Delphi language in Latin American
banking malware, Coyote opts for Nim, showcasing an evolving landscape in the realm of cyber threats. 

Attack Chain and Techniques

Kaspersky’s report outlines a complex attack chain. The Squirrel installer acts as a launchpad for a Node.js application compiled with Electron. This, in turn, triggers a Nim-based loader, facilitating the execution of the Coyote
payload through DLL side-loading

The malicious “libcef.dll” is side-loaded using a legitimate executable named “obs-browser-page.exe,” embedded in the Node.js project. Notably, the authentic libcef.dll is part of the Chromium Embedded Framework (CEF). Malware detection is essential for safeguarding digital assets and preventing unauthorized access to sensitive information.


Coyote’s Functionality

Once activated, Coyote surveils all open applications on the victim’s system, patiently waiting for access to specific banking applications or websites. It then communicates with a server controlled by threat actors to fetch directives for subsequent actions. 

Coyote’s capabilities extend to executing commands such as capturing screenshots, logging keystrokes, terminating processes, displaying fake overlays, moving the mouse cursor strategically, and even initiating machine shutdowns. It can deceptively block the user interface with a misleading “Working on updates…” message while clandestinely carrying out malicious activities in the background. This goes to show that trojan infections are a persistent concern for individuals and organizations alike, compromising online banking security and system integrity.


Coyote’s Advanced Design

The incorporation of Nim as a loader in Coyote underscores its advanced design. Kaspersky emphasizes this evolution, shedding light on the escalating sophistication within the threat landscape. Threat actors are adapting, incorporating the latest languages and tools into their malicious campaigns, posing an ongoing challenge for
cyber threat intelligence experts.

Law Enforcement Response

In response to the Coyote threat, Brazilian law enforcement authorities took action by dismantling the Grandoreiro operation. Five temporary arrest warrants and 13 search and seizure warrants were issued across five Brazilian states to apprehend the masterminds behind the
malicious software. This strategic move signifies a concerted effort to mitigate the impact of Coyote on the financial sector.


Coyote’s emergence aligns with the dismantling of the Grandoreiro operation in Brazil. Simultaneously, a new Python-based information stealer has surfaced, linked to Vietnamese architects associated with MrTonyScam. 

This information stealer is distributed through booby-trapped Microsoft Excel and Word documents, collecting browser cookies and login data from various browsers, including popular ones like Chrome and Edge, as well as local market-focused browsers like Cốc Cốc.


The Coyote Trojan’s infiltration of 61
Brazilian banking systems serves as a stark reminder of the evolving tactics employed by cybercriminals. As the threat landscape of banking trojans continues to advance, organizations must stay vigilant, prioritizing proactive cybersecurity measures. The recent law enforcement actions against the Grandoreiro operation highlight the collaborative efforts to curb these cybersecurity threats, but the dynamic nature of cybercriminal strategies necessitates ongoing adaptation and innovation in defense mechanisms.

The sources for this piece include articles in The Hacker News and Kaspersky


Alert: Coyote Trojan Strike Compromises 61 Brazilian Banks
Article Name
Alert: Coyote Trojan Strike Compromises 61 Brazilian Banks
Stay informed about the latest cybersecurity threat as 61 Brazilian banks are targeted by the Coyote Trojan. Protect your assets now.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter