New Coyote Trojan Targets 61 Banks in Brazil with Nim-Powered Attack

February 09, 2024NewsroomUltimate Security / Cryptocurrency

Coyote Banking Trojan

Sixty-one banking institutions, all of them from Brazil, are the target of a new banking trojan called Coyote.

“This malware uses the Squirrel installer for distribution, using Node.js and a relatively new multi-platform programming language called Nim as a loader to complete its infection,” Russian cybersecurity firm Kaspersky SAYS in a Thursday report.

What makes Coyote a different breed from other banking trojans of this type is the use of open-source Squirrel house for installing and updating Windows apps. Another notable departure is the shift from Delphi – prevalent in banking malware families targeting Latin America – to unusual programming languages ​​such as Nim.


In the attack chain documented by Kaspersky, a Squirrel installer executable is used as a launchpad for a Node.js application compiled with Electron, which, in turn, runs a Nim-based loader to trigger the execution of the malicious Coyote payload by DLL side-loading.

The malicious dynamic-link library, named “libcef.dll,” is side-loaded by a legitimate executable named “obs-browser-page.exe,” which is also included in the Node.js project. It should be noted that the original libcef.dll is part of the Chromium Embedded Framework (CEF).

Coyote, when executed, “monitors all open applications on the victim’s system and waits for a specific banking application or website to be accessed,” after which it contacts a server controlled by the actor to obtain instructions to next stage.

Coyote Banking Trojan

It has the ability to execute a wide range of commands to take screenshots, log keystrokes, terminate processes, display fake overlays, move the mouse cursor to a specific location, and even with the engine shut down. It can also directly block the machine with a bogus “Working on updates…” message while executing malicious actions in the background.

“Adding Nim as a loader adds complexity to the trojan’s design,” Kaspersky said. “This evolution highlights the growing sophistication within the threat landscape and shows how threat actors are adapting and using the latest languages ​​and tools in their malicious campaigns.”


The development came as Brazilian law enforcement authorities dismantled the Grandoreiro operation and issued five temporary arrest warrants and 13 search and seizure warrants for the masterminds behind the malware in five Brazilian state.

It also follows the discovery of a new Python-based information stealer related to Vietnamese architects associated with MrTonyScam and distributed via Microsoft Excel and Word documents trapped in the booby.

The thief “collects browser cookies and login data (…) from a wide range of browsers, from familiar browsers such as Chrome and Edge to locally focused browsers market, such as Cốc Cốc browser,” Fortinet FortiGuard Labs SAYS in a report published this week.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment