Skip to main content

Woburn, MA – February 8, 2024 — A new sophisticated banking Trojan that steals sensitive financial information and introduces advanced tactics to avoid detection has been discovered by Kaspersky's Global Research and Analysis Team (GReAT). Dubbed 'Coyote,' this malware relies on the Squirrel installer for distribution, its name drawing inspiration from coyotes, the natural predators of squirrels.

Coyote is a sophisticated new banking Trojan that employs advanced evasion tactics to pilfer sensitive financial information. Primarily targeting users affiliated with more than 60 banking institutions in Brazil, Coyote utilizes the Squirrel installer for its distribution, a method rarely linked to malware delivery. Kaspersky's researchers have investigated and identified the entire infection process of Coyote. 

Instead of taking the usual path with well-known installers, Coyote uses a relatively new Squirrel tool to install and update Windows desktop applications. By doing so, Coyote hides its initial stage loader by pretending it's just an update packager.

What makes Coyote even more challenging is its use of Nim, a modern, cross-platform programming language, as the loader for the final stage of the infection process. This aligns with a trend observed by Kaspersky, in which cybercriminals use less popular and cross-platform languages, demonstrating their adaptability to the latest technology trends.

Coyote's journey involves a NodeJS application executing tricky JavaScript code, a Nim loader unpacking a .NET executable, and finally, the execution of a Trojan. While Coyote skips code obfuscation, it uses string obfuscation with AES (Advanced Encryption Standard) encryption for extra stealth. The Trojan's goal is in line with typical banking Trojan behavior as it watches for access to the specific banking application or website.

Once banking apps are active, Coyote talks to its command-and-control server using SSL channels with mutual authentication. The Trojan's use of encrypted communication and its ability to carry out specific actions like keylogging and taking screenshots highlight its advanced nature. It can even ask for specific bankcard passwords and set up a fake page to acquire user credentials.

Kaspersky's telemetry data shows that around 90 percent of Coyote’s infections come from Brazil, making a big impact on the region's financial cybersecurity.

“In the last three years, the number of banking Trojan attacks almost doubled, hitting over 18 million in 2023,” said Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky. “As we deal with the growing number of cyber threats, it's important for people and businesses to protect their digital assets. The rise of Coyote, a new kind of Brazilian banking Trojan, reminds us to be careful and use the latest defenses to keep our important information safe.”

Read the full report on Coyote banking Trojan, please visit Securelist.

For protection against financial threats, Kaspersky recommends:

  • Installing only applications obtained from reliable sources.
  • Refrain from approving rights or permissions requested by applications without first ensuring they match the application’s feature set.
  • Never open links or documents included in unexpected or suspicious-looking messages.
  • Use a reliable security solution, such as Kaspersky Premium, that protects you and your digital infrastructure from a wide range of financial cyberthreats.

To protect your business from financial malware, Kaspersky security experts recommend:

  • Providing cybersecurity awareness training, especially for employees responsible for accounting, that includes instructions on how to detect phishing pages.
  • Improving the digital literacy of staff.
  • Enabling a Default Deny policy for critical user profiles, particularly those in financial departments, which ensures that only legitimate web resources can be accessed.
  • Installing the latest updates and patches for all software used.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at

Media Contact:

Cassandra Faro




Kaspersky unveils Coyote banking Trojan targeting over 60 institutions

Kaspersky Logo