{ "id": "cea72028-e4fe-40d9-87e2-8e4765a88fdc", "created_at": "2026-04-06T03:36:14.908982Z", "updated_at": "2026-04-10T03:20:29.51003Z", "deleted_at": null, "sha1_hash": "2633da0b4e1551ad1e8aa24aae8c968cf0e2f3a4", "title": "Coyote: A multi-stage banking Trojan abusing the Squirrel installer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 283542, "plain_text": "Coyote: A multi-stage banking Trojan abusing the Squirrel\r\ninstaller\r\nBy GReAT\r\nPublished: 2024-02-08 · Archived: 2026-04-06 03:19:51 UTC\r\nThe developers of banking Trojan malware are constantly looking for inventive ways to distribute theirs implants\r\nand infect victims. In a recent investigation, we encountered a new malware that specifically targets users of more\r\nthan 60 banking institutions, mainly from Brazil. What caught our attention was the sophisticated infection chain\r\nthat makes use of various advanced technologies, setting it apart from known banking Trojan infections.\r\nThis malware utilizes the Squirrel installer for distribution, leveraging NodeJS and a relatively new multiplatform\r\nprogramming language called Nim as a loader to complete its infection. We have named this newly discovered\r\nTrojan “Coyote” due to the role of coyotes as natural predators of squirrels. The Nim language defines itself as a\r\n“statically typed compiled systems programming language that combines successful concepts from mature\r\nlanguages like Python, Ada and Modula”. The adoption of less popular/cross-platform languages by\r\ncybercriminals is something we identified as a trend in our Crimeware and financial cyberthreats for 2024.\r\nIn this article, we will delve into the workings of the infection chain and explore the capabilities of this Trojan.\r\nForget old Delphi and MSI\r\nIn the banking Trojan landscape, the use of the Delphi language or MSI installers is a recurring trend among\r\nmalware creators. It’s a well-known fact in the cybersecurity community that this method serves as a widely used\r\ninitial infection vector.\r\nCoyote does things a little differently. Instead of going down the usual route with MSI installers, it opted for a\r\nrelatively new tool for installing and updating Windows desktop applications: Squirrel. As the authors explain,\r\n“Squirrel uses NuGet packages to create installation and update packages, which means that you probably\r\nalready know most of what you need to create an installer.”\r\nhttps://securelist.com/coyote-multi-stage-banking-trojan/111846/\r\nPage 1 of 7\n\nCoyote infection chain\r\nBy using this tool, Coyote hides its initial stage loader by presenting it as an update packager.\r\nhttps://securelist.com/coyote-multi-stage-banking-trojan/111846/\r\nPage 2 of 7\n\nMalicious Squirrel installer contents\r\nThe Node.js loader script\r\nWhen Squirrel is executed, it eventually runs a NodeJS application compiled with Electron. This application\r\nexecutes obfuscated JavaScript code (preload.js), whose primary function is to copy all executables found in a\r\nlocal folder named temp to the user’s captures folder inside the Videos folder. It then runs a signed application\r\nfrom that directory.\r\nNodeJS project structure\r\nSeveral executables have been identified in use, including those associated with Chrome and OBS Studio. The\r\nbanker is loaded through DLL sideloading of a dependency of these executables. In all cases analyzed by our\r\nteam, DLL sideloading occurs in the libcef.dll library.\r\nThe Nim loader\r\nAn intriguing element of the infection chain is the use of Nim, a relatively new programming language, to load the\r\nfinal stage. The loader’s objective is to unpack a .NET executable and execute it in memory using the CLR. This\r\nimplies that the loader aims to load the executable and execute it within its process, reminiscent of how Donut\r\noperates.\r\nhttps://securelist.com/coyote-multi-stage-banking-trojan/111846/\r\nPage 3 of 7\n\nUnpacked .Net executable\r\nIt’s worth noting that the same entry point, obs-browser-page.exe, is utilized for every machine reboot, serving as\r\na means of persistence.\r\nLast but not least, the Coyote banking Trojan\r\nAfter all these steps, the Trojan is successfully executed. Coyote does not implement any code obfuscation and\r\nonly uses string obfuscation with AES encryption.\r\nEncrypted string table building\r\nTo retrieve a specific string, it calls a decryption method with the string index as a parameter. The decryption\r\nmethod works by creating a table of base64-encoded data. The first 16 bytes of each decoded data item serve as\r\nthe IV (Initial Vector), while the rest is the encrypted data later used in the AES decryption routine.\r\nEncrypted data structure\r\nThe key is randomly generated by each executable, and the AES decryption algorithm uses the official .Net\r\nencryption interfaces. With this approach, for each string access that Coyote needs, it searches inside the table and\r\ndecrypts each string with a custom IV.\r\nPersistence and goals\r\nhttps://securelist.com/coyote-multi-stage-banking-trojan/111846/\r\nPage 4 of 7\n\nCoyote achieves persistence by abusing Windows logon scripts; it first checks if\r\nHKCU\\Environment\\UserInitMprLogonScript exists, and if so, it inserts the registry value as the full path to\r\nthe signed application, in this case, obs-browser-page.exe.\r\nThe Coyote Trojan’s objective is consistent with typical banking Trojan behavior. It monitors all open applications\r\non the victim’s system and waits for the specific banking application or website to be accessed.\r\nApplication monitoring routine\r\nIn our analysis we identified at least 61 related applications, all originating from Brazil. This strongly suggests\r\nthat Coyote is indeed a Brazilian banking Trojan, exhibiting behavior similar to that previously reported in our\r\nTetrade blog post.\r\nC2 communication and control\r\nWhen any banking-related application is executed and utilized, the Coyote banker contacts the C2 with this\r\ninformation. The C2 then responds with various actions on the machine, ranging from keylogging to taking\r\nscreenshots. Communication with the attacker server will be explained in the following sections.\r\nThe Trojan establishes communication with its command and control server using SSL channels with a mutual\r\nauthentication scheme. This implies that the Trojan possesses a certificate from the attacker-controlled server and\r\nuses it during the connection process.\r\nThe certificate is stored as a resource in an encrypted format that is decrypted by the X509 library from .Net. Once\r\nthe malware verifies that the connection is indeed with the attacker, it proceeds to send the information collected\r\nfrom the infected machine and banking applications to the server. The information transmitted includes:\r\nMachine name\r\nRandomly generated GUID\r\nhttps://securelist.com/coyote-multi-stage-banking-trojan/111846/\r\nPage 5 of 7\n\nBanking application being used\r\nWith this information, the attacker sends a response packet that contains specific actions. To process these actions,\r\nthe attacker transmits a string with a random delimiter. Each position of the string is then converted to a list, with\r\nthe first entry representing the command type.\r\nTo determine the desired command, it checks the length of the string in the first parameter, which is a random\r\nstring. In other words, the only difference between commands is the size of the string.\r\nThe most important available commands are:\r\nLength Description\r\n12 Take a screenshot\r\n14 Show an overlay window of a fake banking app\r\n15 Show a Window that is in the foreground\r\n17 Kill a process\r\n18 Show a full-screen overlay\r\n21 Shut down the machine\r\n27 Block machine with a fake banking image displaying: “Working on updates…”\r\n31 Enable a keylogger\r\n32 Move mouse cursor to specific X, Y position\r\nThe Trojan can also request specific bank card passwords and create a phishing overlay to capture user credentials.\r\nConclusion\r\nCoyote marks a notable change in Brazilian banking Trojans. Unlike its counterparts, which often use older\r\nlanguages like Delphi, the developers behind Coyote are skilled in modern technologies such as Node.js, .NET,\r\nand advanced packaging techniques.\r\nThe addition of Nim as a loader adds complexity to the Trojan’s design. This evolution highlights the increasing\r\nsophistication within the threat landscape and shows how threat actors are adapting and using the latest languages\r\nand tools in their malicious campaigns.\r\nOur telemetry data reveals that up to 90% of infections originated from Brazil. All Kaspersky products detect the\r\nthreat as HEUR:Trojan-Banker.MSIL.Coyote.gen.\r\nA more detailed analysis of the latest Coyote versions is available to customers of our private Threat Intelligence\r\nReports. For more information, please contact crimewareintel@kaspersky.com.\r\nhttps://securelist.com/coyote-multi-stage-banking-trojan/111846/\r\nPage 6 of 7\n\nReference IoCs (indicators of compromise)\r\nHost-based (MD5 hash)\r\n03 eacccb664d517772a33255dff96020\r\n071b6efd6d3ace1ad23ee0d6d3eead76\r\n276f14d432601003b6bf0caa8cd82fec\r\n5134e6925ff1397fdda0f3b48afec87b\r\nbf9c9cc94056bcdae6e579e724e8dbbd\r\nC2 domain list\r\natendesolucao[.]com\r\nservicoasso[.]com\r\ndowfinanceiro[.]com\r\ncentralsolucao[.]com\r\ntraktinves[.]com\r\ndiadaacaodegraca[.]com\r\nsegurancasys[.]com\r\nSource: https://securelist.com/coyote-multi-stage-banking-trojan/111846/\r\nhttps://securelist.com/coyote-multi-stage-banking-trojan/111846/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/coyote-multi-stage-banking-trojan/111846/" ], "report_names": [ "111846" ], "threat_actors": [], "ts_created_at": 1775446574, "ts_updated_at": 1775791229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2633da0b4e1551ad1e8aa24aae8c968cf0e2f3a4.pdf", "text": "https://archive.orkl.eu/2633da0b4e1551ad1e8aa24aae8c968cf0e2f3a4.txt", "img": "https://archive.orkl.eu/2633da0b4e1551ad1e8aa24aae8c968cf0e2f3a4.jpg" } }