The Brazilian banking trojan BasBanke spreads to other countries

The BasBanke banking Trojan, also known as Coybot, is a Brazilian Trojan that we have already discussed in one of our posts.

When we first spoke about this banking trojan, in December 2019, we had found several new samples that affected Brazilian entities, but now, it has broadened its targets and is now active in other countries as well.

Today we are going to examine its operation in greater detail, taking advantage of the fact that in recent weeks this banking trojan has been active again, with a new campaign in which different samples have been found that now affect Latin American (especially Chilean) and Spanish entities.

Some of the latest samples detected

In the above image we can see some of the recent samples that we have detected and analyzed, which affect non-Brazilian entities for the first time. As we can see, there is everything from false applications that simulate being the entity's legitimate application to steal the data, to applications that have nothing to do with banking and that later try to steal the logon credentials for various entities.

Next we will examine how BasBanke banking trojan works in greater detail and what its new features are, beyond those related to the affected banks.

If you are interested in continuing to read the full report:


Report on BasBanke/Coybot banking trojan

BasBanke, also known as CoyBot, has been very active in recent weeks, in the form of new propagation campaigns for new samples in which it has not only supplanted other brands to make the user believe that it is a legitimate application, but has also impersonated to banking entities in specific versions that only affect said entities.

There have been no changes at a technical level with respect to past campaigns. However, the big news is the inclusion of new affected banking entities.


Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video