Security Affairs
Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites

Coyote Banking Trojan targets Brazilian users, stealing data from over 70 financial applications and websites. FortiGuard Labs researchers detected a campaign using LNK files executing PowerShell commands to deploy the Coyote Banking Trojan. Threat actors target Brazilian users by stealing financial data, the malware can harvest sensitive information from over 70 financial applications and numerous […]

Coyote Banking Trojan

Coyote Banking Trojan targets Brazilian users, stealing data from over 70 financial applications and websites.

FortiGuard Labs researchers detected a campaign using LNK files executing PowerShell commands to deploy the Coyote Banking Trojan. Threat actors target Brazilian users by stealing financial data, the malware can harvest sensitive information from over 70 financial applications and numerous websites.

The Coyote Banking Trojan supports multiple malicious functions, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials.

The LNK file runs a PowerShell command that connects to a remote server, triggering the next stage of the Coyote Banking Trojan attack. The researchers analyzed the LNK files’ metadata, including Machine ID and MAC addresses, to trace infections linked to the same threat actor. The script retrieved from the remote server contains encoded data segments, which are decoded and executed to advance the malware’s operation.

“The “bmwiMcDec” DLL file functions as a loader, utilizing VirtualAllocEx and WriteProcessMemory to inject the “npuGDec” payload. It then employs CreateRemoteThread to execute the injected malicious code, facilitating the continuation of the attack.” states the report published by Fortinet. “The injected code leverages Donut, a tool designed to decrypt and execute the final MSIL (Microsoft Intermediate Language) payloads. This ensures seamless delivery and execution of the attack’s next stage.”

The decrypted MSIL file maintains persistence by modifying the Windows registry to execute a PowerShell command that downloads the Coyote Banking Trojan. It gathers system details, including antivirus information, encodes the data, and sends it to a remote server. The malware then executes the PowerShell command from the registry to retrieve and run the final payload.

The Coyote Banking Trojan expands its list of targets to include 1,030 sites and 73 financial agents, including mercadobitcoin.com.br, bitcointrade.com.br, augustoshotel.com.br, and others. Then the malware starts monitoring the active window.

The Coyote Banking Trojan monitors active windows and contacts its C2 servers when a target site is accessed. Then it receives commands from the server, including taking screenshots, simulating key presses, manipulating windows, enabling a keylogger, or shutting down the device. The malware can also display fake overlays, control user-visible windows, and perform automated navigation actions.

“Coyote’s infection process is complex and multi-staged. This attack leveraged an LNK file for initial access, which subsequently led to the discovery of other malicious files. This Trojan poses a significant threat to financial cybersecurity, particularly because it has the potential to expand beyond its initial targets.” concludes the report. “Consequently, it highlights the critical need for robust security measures for both individuals and institutions to safeguard against evolving cyber threats.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)