On July 23, 2025, it was reported that the Windows banking trojan known as Coyote has made history by being the first malware strain to exploit the Windows accessibility framework UI Automation (UIA) to harvest sensitive information. According to Akamai security researcher Tomer Peled, this new Coyote variant is specifically targeting Brazilian users and is using UIA to extract credentials from 75 banking institutes’ web addresses and cryptocurrency exchanges.
Coyote, which was initially uncovered by Kaspersky in 2024, is notorious for its focus on Brazilian users and its ability to log keystrokes, capture screenshots, and overlay fake login pages associated with financial institutions. UIA, part of the Microsoft .NET Framework, is a legitimate feature designed to allow screen readers and assistive technology products to access user interface elements programmatically.
Akamai had previously demonstrated the potential abuse of UIA for data theft in December 2024. Coyote’s latest tactics are reminiscent of Android banking trojans that leverage the operating system’s accessibility services to obtain valuable data. The malware utilizes the GetForegroundWindow() Windows API to extract active window titles and cross-references them with a list of targeted bank and cryptocurrency exchange web addresses.
The latest version of Coyote targets 75 different financial institutions, an increase from the 73 documented earlier in the year by Fortinet FortiGuard Labs. Akamai notes that Coyote’s ability to parse sub-elements of another application using UIA makes it a formidable threat, as it can perform checks whether online or offline, increasing the likelihood of successfully stealing credentials from victims.
Source link