How Are Cyberattacks Using LNK Files to Target Brazilian Banks?

A new wave of cyberattacks leveraging the Coyote Banking Trojan has been identified, targeting financial institutions in Brazil. This sophisticated malware employs malicious Windows LNK (shortcut) files as an entry point to execute PowerShell scripts, enabling multi-stage infection chains that ultimately result in data theft and system compromise. The attackers utilize a series of complex techniques to evade detection, establish persistence, and exfiltrate sensitive information from affected systems. Understanding the intricacies of these attacks is crucial for developing effective defense strategies and mitigating the risks posed by such threats to the banking sector.

LNK File Exploitation

The attack begins with a malicious LNK file that initiates a stealthy PowerShell command. This command connects to a remote server to download additional payloads. Fortinet researchers noted that the initial PowerShell script used in these attacks initiates the download of encoded shellcode, which is then decoded and executed to load the next stage of the attack. The LNK file is crafted to include malicious arguments in its “Target” field, which upon execution, triggers the embedded PowerShell script.

An example of the target path used in these attacks is: cmd.exe /c powershell.exe -ExecutionPolicy Bypass -File malicious.ps1. The downloaded script decodes two embedded data segments and injects them into memory using Windows API functions like VirtualAllocEx and WriteProcessMemory. This process is facilitated by a loader DLL, which uses CreateRemoteThread to execute the injected code. This method allows the malware to execute without being detected by traditional security measures that scan for malicious files on the disk.

Payload Delivery and Persistence

To ensure continued operation on infected systems, the Coyote malware employs a series of sophisticated persistence mechanisms. The malware modifies the Windows Registry at: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. It creates a new entry with a randomized name pointing to a Base64-encoded PowerShell command designed to execute the payload each time the system starts. This technique ensures that the malware can survive system reboots and remain active over an extended period.

In addition to registry modifications, Coyote establishes secure communication with its command and control (C2) servers using SSL channels. This encrypted communication allows the malware to transmit system information, including machine name, username, and antivirus details, encoded in Base64 and reversed for obfuscation. The malware offers a multitude of capabilities, such as keylogging, screenshot capture, and displaying phishing overlays that mimic banking interfaces. It can also terminate processes, shut down systems, and block user access with deceptive messages like “Working on updates.”

Command and Control (C2) Communication

Coyote’s C2 communication is designed to be both secure and stealthy. The malware uses SSL channels to ensure that the data transmitted between the infected machine and the C2 server is encrypted and less likely to be detected by network security tools. An example URL used by the malware to communicate with C2 servers is: hxxps://yezh[.]geontrigame[.]com/hqizjs/?I=y4CMuADfvJHUgATMgM3dvRmbpdFIOZ2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfzImcoNEfOIDROUI. The information sent includes system details relevant to the attackers, helping them tailor subsequent stages of the attack to the targeted environment.

To further enhance its stealth and complexity, Coyote employs modern programming tools like Nim and Node.js. These tools are less commonly associated with malware development compared to traditional languages like C or C++, which helps the malware evade detection by signature-based antivirus software. The malware also uses DLL side-loading via legitimate executables to avoid detection. For instance, it leverages the Squirrel installer framework for distribution, disguising itself as a legitimate update package to trick users into executing it.

Targeted Institutions and Defense Strategies

A recent surge in cyberattacks involving the Coyote Banking Trojan has been detected, particularly targeting financial institutions in Brazil. This advanced malware operates by using malicious Windows LNK (shortcut) files as a gateway to run PowerShell scripts, which initiate a series of infection stages. These stages lead to data theft and system compromise. The attackers employ a range of sophisticated techniques to avoid detection, maintain long-term access, and siphon off sensitive data from compromised systems.

Financial institutions must understand these complex attack mechanisms to formulate strong defense strategies and reduce the risks these threats pose to the banking sector. This involves comprehending how the Coyote Banking Trojan infiltrates systems, spreads its payloads, and exfiltrates data. By doing so, institutions can better brace themselves against these multifaceted threats and enhance their cybersecurity measures.

Addressing these cyber threats will require ongoing vigilance, advanced security protocols, and a thorough understanding of the evolving tactics used by cybercriminals targeting the financial sector.

Explore more

VodafoneThree Drives 5G Innovation With Network Automation

The rapid expansion of 5G Standalone infrastructure across the United Kingdom has necessitated a fundamental shift in how telecommunications giants manage the increasing complexity of modern cellular traffic. As VodafoneThree consolidates its dominant market position throughout 2026, the implementation of sophisticated network automation tools has transitioned from a competitive advantage to an absolute operational necessity. By moving away from legacy

Vulnerable Microsoft-Signed Shims Allow Secure Boot Bypass

The fundamental promise of UEFI Secure Boot relies on a chain of trust that ensures only verified, cryptographically signed code executes during the critical early stages of a computer’s power-on sequence. When this chain is compromised, the entire security foundation of a modern computing environment is placed at significant risk. Recent discoveries have highlighted vulnerabilities within several versions of the

How Do You Move Your GP General Ledger to Business Central?

The familiar rhythm of month-end procedures in Microsoft Dynamics GP has provided a reliable sanctuary for finance departments for decades, but that comfort is rapidly vanishing as the cloud transition becomes mandatory. For years, the legacy platform served as a fortress of stability, anchoring the financial operations of thousands of organizations through economic shifts and regulatory changes. However, the landscape

How Does Copilot Drive Real ROI in Dynamics 365?

Beyond the Hype: The Evolution of Copilot into a Standard Business Engine Modern business leaders are no longer asking if artificial intelligence works but are instead demanding granular proof that these sophisticated algorithms can actually generate a measurable impact on the quarterly balance sheet. Microsoft Copilot has transitioned rapidly from an experimental AI curiosity to a foundational element of the

Microsoft Business Central 2026 Wave 1 Boosts ERP Efficiency

As the enterprise landscape evolves, the upcoming Microsoft Business Central 2026 Release Wave 1 marks a significant shift toward deeper automation and more fluid system integrations. Dominic Jainy, an IT expert with a sharp focus on how emerging technologies like machine learning and blockchain intersect with business logic, provides a comprehensive look at these upcoming changes. This discussion explores the