Coyote Malware’s New Weapon: How Hackers Hijack Windows Installer to Steal Your Data

Windows Installer (MSI) files are being used by a dangerous new Coyote malware version to get around security measures and steal confidential information from companies all around the world. This covert attack was discovered in July 2025 and is quickly spreading. It uses trusted software installation processes to take over PCs.

How Fake Software Traps Attacks Operate

• Fake Software Traps

               Employees download trojanized installers for popular tools (e.g., Adobe, Figma) from compromised sites.

• MSI Exploitation

               Malicious scripts embedded in MSI files abuse Windows Installer to:

• Disable antivirus protections

               Gain persistence via scheduled tasks

• Data Theft Frenzy

               The malware harvests:

• Browser passwords/cookies

               Cryptocurrency wallets

• Financial documents

               Session tokens for cloud apps

Real Impact: A European bank lost $1.2M after attackers accessed payroll systems using stolen employee credentials.

The Deadlier Nature of This Variant

• Avoids detection by posing as genuine program upgrades.

• Living-off-the-Land (LotL): Prevents notifications by using native Windows tools (PowerShell, WMI).

• Fast Proliferation: Q3 2025 saw a 300% increase in infections (FBI Cyber Division).

• Cross-Platform Theft: Affects 20+ banking apps, Chrome, Edge, and Brave.

Financial Sectors with the Highest Risk: 

• Banking Trojan Capabilities

• Healthcare: Using credentials that have been stolen to exfiltrate PHI

• Remote Workers: BYOD devices that are compromised

3 Critical Mitigation Steps

• Block Unverified MSI Files

                Use AppLocker or Intune to restrict installer executions.

• Sandbox All Downloads

                Test software in isolated environments before deployment.

• Enforce Least-Privilege Access

               Prevent standard users from disabling security tools.

Attacks on software supply chains pose a greater threat.

Coyote takes advantage of a developing trend:

• Trusted processes like MSI are now used by 62% of malware (Sophos 2025).

• This year, the number of fake "updates" for Figma/Adobe tools increased 400%.

• The main targets are small enterprises (poor security knowledge).

Bayon Technologies Group: Stop Coyote in Its Tracks

Traditional antivirus can’t catch this advanced threat. We deploy:

✅ Behavioral Threat Detection

AI identifies LotL tactics (unusual PowerShell/WMI patterns)

✅ MSI File Analysis

Scans installers for malicious scripts pre-execution

✅ Endpoint Hardening

Locks down Windows Installer permissions

✅ Employee Cyber-Drills

Simulates fake software download scams

✅ 24/7 Threat Hunting

Don’t let a "software update" become your worst breach!