A new variant of the Windows banking trojan known as Coyote has been identified as the first malware to leverage the Windows accessibility framework, UI Automation (UIA), to steal sensitive banking and cryptocurrency credentials.

Security researcher Tomer Peled from Akamai detailed that this variant specifically targets users in Brazil and uses UIA to extract login information linked to 75 different banking institutions and cryptocurrency exchanges.

Originally uncovered by Kaspersky in 2024, Coyote is notorious for its capabilities including keylogging, screenshot capture, and injecting overlays on login pages of financial websites to deceive users.

UI Automation is a legitimate Microsoft feature within the .NET Framework designed to assist screen readers and other accessibility tools by programmatically accessing interface elements on the desktop. However, this feature has now been exploited by malware as a vector for credential theft.

Akamai first demonstrated this potential misuse of UIA in December 2024 with a proof-of-concept highlighting its ability to steal credentials or even execute malicious code through this channel.

The Coyote malware’s method is reminiscent of certain Android banking trojans that abuse accessibility services to harvest sensitive data.

According to Akamai’s analysis, the malware calls the Windows API function GetForegroundWindow() to capture the active window’s title and compares it against a preset list of targeted banking and cryptocurrency URLs. If a match is not found, Coyote uses UIA to scan the user interface’s child elements such as browser tabs or address bars, cross-referencing these with its list of known targets.

This latest version of Coyote has increased its targets to 75 financial institutions, up from 73 reported earlier this year by Fortinet FortiGuard Labs.

Akamai emphasizes that without UIA, analyzing the internal structure of another application’s UI elements would be highly complex and require in-depth knowledge of the target’s design. UIA’s abuse makes this process far easier and more efficient for the malware.

Furthermore, Coyote operates both online and offline, improving its ability to identify the victim’s financial or crypto platform and successfully steal their credentials.

Source: https://thehackernews.com/2025/07/new-coyote-malware-variant-exploits.html